[v8-dev] Harden global variable accesses in the fast code generator. (issue595022)

Wed, 10 Feb 2010 05:21:10 -0800 

Reviewers: Mads Ager,

Description:
Harden global variable accesses in the fast code generator.

Explicitly check that global variables do not have accessors or
interceptors in the fast code generator syntax checker.

Please review this at http://codereview.chromium.org/595022

Affected files:
  M src/fast-codegen.cc
  M test/mjsunit/compiler/simple-global-access.js


Index: src/fast-codegen.cc
diff --git a/src/fast-codegen.cc b/src/fast-codegen.cc
index 19091dafa81bbd89f9951145d20388b238042b45..3d288de443662cd943ce7a4fac2ffc205e8abf34 100644 
--- a/src/fast-codegen.cc
+++ b/src/fast-codegen.cc
@@ -220,8 +220,16 @@ void FastCodeGenSyntaxChecker::VisitVariableProxy(VariableProxy* expr) { 
   if (info()->has_global_object()) {
     LookupResult lookup;
     info()->global_object()->Lookup(*expr->name(), &lookup);
-    if (!lookup.IsValid() || !lookup.IsDontDelete()) {
-      BAILOUT("Non-existing or deletable global variable");
+    if (!lookup.IsValid()) {
+      BAILOUT("Non-existing global variable");
+    }
+    // We do not handle global variables with accessors or interceptors.
+    if (lookup.type() != NORMAL) {
+      BAILOUT("Global variable with accessors or interceptors.");
+    }
+    // We do not handle deletable global variables.
+    if (!lookup.IsDontDelete()) {
+      BAILOUT("Deletable global variable");
     }
   }
 }
@@ -573,8 +581,10 @@ void FastCodeGenerator::VisitVariableProxy(VariableProxy* expr) { 
   ASSERT(info()->has_global_object());
   LookupResult lookup;
   info()->global_object()->Lookup(*expr->name(), &lookup);
-  // We only support DontDelete properties for now.
+ // We only support normal (non-accessor/interceptor) DontDelete properties 
+  // for now.
   ASSERT(lookup.IsValid());
+  ASSERT_EQ(NORMAL, lookup.type());
   ASSERT(lookup.IsDontDelete());
   Handle<Object> cell(info()->global_object()->GetPropertyCell(&lookup));

Index: test/mjsunit/compiler/simple-global-access.js
diff --git a/test/mjsunit/compiler/simple-global-access.js b/test/mjsunit/compiler/simple-global-access.js index 500f8d2e21f2863fd536033f59d84f2567006a2b..35746ba822831303a7026991bfce8679ee8ca993 100644 
--- a/test/mjsunit/compiler/simple-global-access.js
+++ b/test/mjsunit/compiler/simple-global-access.js
@@ -31,21 +31,23 @@
 var g1 = 42;
 var g2 = 43;
 var g3 = 44;
+this.__defineGetter__("g4", function () { return 45; });

 function f1() { this.x = this.y = this.z = g1; }
 function f2() { this.x = g1; this.y = g2; this.z = g3; }
+function f3() { this.x = g4; }

-var o = {x:0, y:0, z:0, m1:f1, m2:f2}
-
-o.m1();
+var o = { x:0, y:0, z:0, test1:f1, test2:f2, test3:f3 }

+o.test1();
 assertEquals(42, o.x);
 assertEquals(42, o.y);
 assertEquals(42, o.z);

-
-o.m2();
-
+o.test2();
 assertEquals(42, o.x);
 assertEquals(43, o.y);
 assertEquals(44, o.z);
+
+o.test3();
+assertEquals(45, o.x);


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to