Revision: 3798
Author: [email protected]
Date: Thu Feb 4 11:43:56 2010
Log: Added extra tests to the DefineOrRedefineAccessorProperty and
DefineOrRedefineDataProperty to avoid invalid input.
Added tests to object-define-property.js to test that it does not crash
on invalid input.
Review URL: http://codereview.chromium.org/572005
http://code.google.com/p/v8/source/detail?r=3798
Modified:
/branches/bleeding_edge/src/runtime.cc
/branches/bleeding_edge/test/mjsunit/object-define-property.js
=======================================
--- /branches/bleeding_edge/src/runtime.cc Thu Feb 4 03:28:03 2010
+++ /branches/bleeding_edge/src/runtime.cc Thu Feb 4 11:43:56 2010
@@ -2898,7 +2898,7 @@
CONVERT_CHECKED(Smi, flag_attr, args[4]);
int unchecked = flag_attr->value();
RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) ==
0);
-
+ RUNTIME_ASSERT(!obj->IsNull());
LookupResult result;
obj->LocalLookupRealNamedProperty(name, &result);
@@ -2917,18 +2917,16 @@
static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
ASSERT(args.length() == 4);
HandleScope scope;
- Handle<Object> obj = args.at<Object>(0);
- Handle<Object> name = args.at<Object>(1);
+ CONVERT_ARG_CHECKED(JSObject, js_object, 0);
+ CONVERT_ARG_CHECKED(String, name, 1);
Handle<Object> obj_value = args.at<Object>(2);
- Handle<JSObject> js_object = Handle<JSObject>::cast(obj);
- Handle<String> key_string = Handle<String>::cast(name);
-
+
CONVERT_CHECKED(Smi, flag, args[3]);
int unchecked = flag->value();
RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) ==
0);
LookupResult result;
- js_object->LocalLookupRealNamedProperty(*key_string, &result);
+ js_object->LocalLookupRealNamedProperty(*name, &result);
PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
@@ -2942,7 +2940,7 @@
PropertyDetails details = PropertyDetails(attr, NORMAL);
// New attributes - normalize to avoid writing to instance descriptor
js_object->NormalizeProperties(KEEP_INOBJECT_PROPERTIES, 0);
- return js_object->SetNormalizedProperty(*key_string, *obj_value,
details);
+ return js_object->SetNormalizedProperty(*name, *obj_value, details);
}
return Runtime::SetObjectProperty(js_object, name, obj_value, attr);
=======================================
--- /branches/bleeding_edge/test/mjsunit/object-define-property.js Wed Feb
3 05:10:03 2010
+++ /branches/bleeding_edge/test/mjsunit/object-define-property.js Thu Feb
4 11:43:56 2010
@@ -27,7 +27,7 @@
// Tests the object.defineProperty method - ES 15.2.3.6
-
+// Flags: --allow-natives-syntax
// Check that an exception is thrown when null is passed as object.
try {
@@ -451,4 +451,49 @@
}
-
+// Test runtime calls to DefineOrRedefineDataProperty and
+// DefineOrRedefineAccessorProperty - make sure we don't
+// crash
+try {
+ %DefineOrRedefineAccessorProperty(0, 0, 0, 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty(0, 0, 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty(null, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineAccessorProperty(null, null, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty({}, null, null, null);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+// Defining properties null should fail even when we have
+// other allowed values
+try {
+ %DefineOrRedefineAccessorProperty(null, 'foo', 0, func, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
+
+try {
+ %DefineOrRedefineDataProperty(null, 'foo', 0, 0);
+} catch (e) {
+ assertTrue(/illegal access/.test(e));
+}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
