Reviewers: Mads Ager,
Description:
Added extra tests to the DefineOrRedefineAccessorProperty and
DefineOrRedefineDataProperty to avoid invalid input.
Added tests to object-define-property.js to test that it does not crash
on invalid input.
Please review this at http://codereview.chromium.org/572005
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/
Affected files:
M src/runtime.cc
M test/mjsunit/object-define-property.js
Index: test/mjsunit/object-define-property.js
===================================================================
--- test/mjsunit/object-define-property.js (revision 3786)
+++ test/mjsunit/object-define-property.js (working copy)
@@ -27,8 +27,8 @@
// Tests the object.defineProperty method - ES 15.2.3.6
+// Flags: --allow-natives-syntax
-
// Check that an exception is thrown when null is passed as object.
try {
Object.defineProperty(null, null, null);
@@ -451,4 +451,49 @@
}
+// Test runtime calls to DefineOrRedefineDataProperty and
+// DefineOrRedefineAccessorProperty - make sure we don't
+// crash
+try {
+ %DefineOrRedefineAccessorProperty(0, 0, 0, 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+try {
+ %DefineOrRedefineDataProperty(0, 0, 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty(null, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineAccessorProperty(null, null, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty({}, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+// Defining properties null should fail even when we have
+// other allowed values
+try {
+ %DefineOrRedefineAccessorProperty(null, 'foo', 0, func, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty(null, 'foo', 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
Index: src/runtime.cc
===================================================================
--- src/runtime.cc (revision 3794)
+++ src/runtime.cc (working copy)
@@ -2898,7 +2898,7 @@
CONVERT_CHECKED(Smi, flag_attr, args[4]);
int unchecked = flag_attr->value();
RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) ==
0);
-
+ RUNTIME_ASSERT(!obj->IsNull());
LookupResult result;
obj->LocalLookupRealNamedProperty(name, &result);
@@ -2917,11 +2917,13 @@
static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
ASSERT(args.length() == 4);
HandleScope scope;
- Handle<Object> obj = args.at<Object>(0);
+ Handle<JSObject> js_object = args.at<JSObject>(0);
Handle<Object> name = args.at<Object>(1);
Handle<Object> obj_value = args.at<Object>(2);
- Handle<JSObject> js_object = Handle<JSObject>::cast(obj);
Handle<String> key_string = Handle<String>::cast(name);
+ RUNTIME_ASSERT(!js_object->IsNull());
+ RUNTIME_ASSERT(!js_object->IsUndefined());
+ RUNTIME_ASSERT(name->IsString());
CONVERT_CHECKED(Smi, flag, args[3]);
int unchecked = flag->value();
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
