[v8-dev] Version 4.3.61.14 (cherry-pick) (issue 1101253003 by [email protected])

Fri, 24 Apr 2015 05:04:07 -0700 

Reviewers: Hablich,

Description:
Version 4.3.61.14 (cherry-pick)

Merged 6b59e1f1556a524901aeaa75dc153df21f13f48c
Don't crash when reporting an access check failure for a detached global proxy 

BUG=chromium:475884
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/1101253003/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+16, -6 lines):
  M include/v8-version.h
  M src/isolate.cc


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index 37e3b0b0739610d36add11a9a0d1ea193846b1d5..d940b6026c412d824871e86d6af47ed5f94b9807 100644 
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 3
 #define V8_BUILD_NUMBER 61
-#define V8_PATCH_LEVEL 13
+#define V8_PATCH_LEVEL 14

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/isolate.cc
diff --git a/src/isolate.cc b/src/isolate.cc
index 1cc7ac736d2275a33dece53ef51bbb77bcbad795..e9713dbec0742e8a2c2953bb7d11f7418c1d8648 100644 
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -718,7 +718,9 @@ void Isolate::SetFailedAccessCheckCallback(

 static inline AccessCheckInfo* GetAccessCheckInfo(Isolate* isolate,
Handle<JSObject> receiver) { - JSFunction* constructor = JSFunction::cast(receiver->map()->GetConstructor()); 
+  Object* maybe_constructor = receiver->map()->GetConstructor();
+  if (!maybe_constructor->IsJSFunction()) return NULL;
+  JSFunction* constructor = JSFunction::cast(maybe_constructor);
   if (!constructor->shared()->IsApiFunction()) return NULL;

   Object* data_obj =
@@ -729,11 +731,16 @@ static inline AccessCheckInfo* GetAccessCheckInfo(Isolate* isolate, 
 }


+static void ThrowAccessCheckError(Isolate* isolate) {
+  Handle<String> message =
+      isolate->factory()->InternalizeUtf8String("no access");
+  isolate->ScheduleThrow(*isolate->factory()->NewTypeError(message));
+}
+
+
 void Isolate::ReportFailedAccessCheck(Handle<JSObject> receiver) {
   if (!thread_local_top()->failed_access_check_callback_) {
-    Handle<String> message = factory()->InternalizeUtf8String("no access");
-    ScheduleThrow(*factory()->NewTypeError(message));
-    return;
+    return ThrowAccessCheckError(this);
   }

   DCHECK(receiver->IsAccessCheckNeeded());
@@ -744,7 +751,10 @@ void Isolate::ReportFailedAccessCheck(Handle<JSObject> receiver) { 
   Handle<Object> data;
   { DisallowHeapAllocation no_gc;
AccessCheckInfo* access_check_info = GetAccessCheckInfo(this, receiver); 
-    if (!access_check_info) return;
+    if (!access_check_info) {
+      AllowHeapAllocation doesnt_matter_anymore;
+      return ThrowAccessCheckError(this);
+    }
     data = handle(access_check_info->data(), this);
   }



--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to