Reviewers: Sven Panne,
Description:
Add more checks for native callback results.
[email protected]
BUG=
Please review this at https://chromiumcodereview.appspot.com/10928083/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/builtins.cc
M src/handles.cc
M src/objects-inl.h
M src/objects.h
M src/objects.cc
M src/stub-cache.cc
Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index
6b0b7edd8a80f704318be827993e1d9ead43238d..ffaaf8b1ea43f10d9241b61cd27a1da9d9a6d297
100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1149,6 +1149,7 @@ MUST_USE_RESULT static MaybeObject*
HandleApiCallHelper(
result = heap->undefined_value();
} else {
result = *reinterpret_cast<Object**>(*value);
+ result->VerifyApiCallResultType();
}
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
@@ -1225,6 +1226,7 @@ MUST_USE_RESULT static MaybeObject*
HandleApiCallAsFunctionOrConstructor(
result = heap->undefined_value();
} else {
result = *reinterpret_cast<Object**>(*value);
+ result->VerifyApiCallResultType();
}
}
// Check for exceptions and return result.
Index: src/handles.cc
diff --git a/src/handles.cc b/src/handles.cc
index
19db5eb021e109f06187bfc2d9c1d8c56d1fa978..6aa7a6a87639a893bc8c3e5f263f231ae069228d
100644
--- a/src/handles.cc
+++ b/src/handles.cc
@@ -561,6 +561,9 @@ v8::Handle<v8::Array>
GetKeysForNamedInterceptor(Handle<JSReceiver> receiver,
result = enum_fun(info);
}
}
+#if ENABLE_EXTRA_CHECKS
+ CHECK(result.IsEmpty() || v8::Utils::OpenHandle(*result)->IsJSObject());
+#endif
return result;
}
@@ -581,6 +584,9 @@ v8::Handle<v8::Array>
GetKeysForIndexedInterceptor(Handle<JSReceiver> receiver,
// Leaving JavaScript.
VMState state(isolate, EXTERNAL);
result = enum_fun(info);
+#if ENABLE_EXTRA_CHECKS
+ CHECK(result.IsEmpty() ||
v8::Utils::OpenHandle(*result)->IsJSObject());
+#endif
}
}
return result;
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index
a7978338058b7e9b37dee0d0c17c90d734d04c1f..3b9bb0a13783fd6829bbffe3a678b6babeeb08c4
100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1664,6 +1664,23 @@ bool Object::IsStringObjectWithCharacterAt(uint32_t
index) {
}
+
+void Object::VerifyApiCallResultType() {
+#if ENABLE_EXTRA_CHECKS
+ if (!(IsSmi() ||
+ IsString() ||
+ IsSpecObject() ||
+ IsHeapNumber() ||
+ IsUndefined() ||
+ IsTrue() ||
+ IsFalse() ||
+ IsNull())) {
+ FATAL("API call returned invalid object");
+ }
+#endif // ENABLE_EXTRA_CHECKS
+}
+
+
FixedArrayBase* FixedArrayBase::cast(Object* object) {
ASSERT(object->IsFixedArray() || object->IsFixedDoubleArray());
return reinterpret_cast<FixedArrayBase*>(object);
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
158de1452bd2b50e4e081950a0f1d276091cffc8..57882a4d20a0f8f3a64c9919c39d94c86f64df30
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -211,18 +211,7 @@ MaybeObject* JSObject::GetPropertyWithCallback(Object*
receiver,
return isolate->heap()->undefined_value();
}
Object* return_value = *v8::Utils::OpenHandle(*result);
-#if ENABLE_EXTRA_CHECKS
- if (!(return_value->IsSmi() ||
- return_value->IsString() ||
- return_value->IsSpecObject() ||
- return_value->IsHeapNumber() ||
- return_value->IsUndefined() ||
- return_value->IsTrue() ||
- return_value->IsFalse() ||
- return_value->IsNull())) {
- FATAL("API call returned invalid object");
- }
-#endif
+ return_value->VerifyApiCallResultType();
return return_value;
}
@@ -3805,7 +3794,9 @@ MaybeObject*
JSObject::DeletePropertyWithInterceptor(String* name) {
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (!result.IsEmpty()) {
ASSERT(result->IsBoolean());
- return *v8::Utils::OpenHandle(*result);
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
}
}
MaybeObject* raw_result =
@@ -3840,7 +3831,9 @@ MaybeObject*
JSObject::DeleteElementWithInterceptor(uint32_t index) {
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (!result.IsEmpty()) {
ASSERT(result->IsBoolean());
- return *v8::Utils::OpenHandle(*result);
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
}
MaybeObject* raw_result = this_handle->GetElementsAccessor()->Delete(
*this_handle,
@@ -9133,7 +9126,9 @@ MaybeObject* JSObject::GetElementWithCallback(Object*
receiver,
}
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (result.IsEmpty()) return isolate->heap()->undefined_value();
- return *v8::Utils::OpenHandle(*result);
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
}
// __defineGetter__ callback
@@ -9952,7 +9947,11 @@ MaybeObject*
JSObject::GetElementWithInterceptor(Object* receiver,
result = getter(index, info);
}
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
- if (!result.IsEmpty()) return *v8::Utils::OpenHandle(*result);
+ if (!result.IsEmpty()) {
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
+ }
}
Heap* heap = holder_handle->GetHeap();
@@ -10254,7 +10253,9 @@ MaybeObject* JSObject::GetPropertyWithInterceptor(
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (!result.IsEmpty()) {
*attributes = NONE;
- return *v8::Utils::OpenHandle(*result);
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
}
}
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
02d3ec2e97cea4e260cd35d333e4972ddc06cc9d..9b33a4326c373b6508d2c097ed97e947b8a0776b
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -970,6 +970,8 @@ class Object : public MaybeObject {
static void VerifyPointer(Object* p);
#endif
+ inline void VerifyApiCallResultType();
+
// Prints this object without details.
inline void ShortPrint() {
ShortPrint(stdout);
Index: src/stub-cache.cc
diff --git a/src/stub-cache.cc b/src/stub-cache.cc
index
82e2583672271c1d9b5642752a1617abf1940df5..411914719ccccb13261fbda9b581e8c76d10a45b
100644
--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
@@ -1005,7 +1005,9 @@ RUNTIME_FUNCTION(MaybeObject*, LoadCallbackProperty) {
}
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (result.IsEmpty()) return HEAP->undefined_value();
- return *v8::Utils::OpenHandle(*result);
+ Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+ result_internal->VerifyApiCallResultType();
+ return *result_internal;
}
@@ -1070,6 +1072,8 @@ RUNTIME_FUNCTION(MaybeObject*,
LoadPropertyWithInterceptorOnly) {
}
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (!r.IsEmpty()) {
+ Handle<Object> result = v8::Utils::OpenHandle(*r);
+ result->VerifyApiCallResultType();
return *v8::Utils::OpenHandle(*r);
}
}
@@ -1126,7 +1130,9 @@ static MaybeObject* LoadWithInterceptor(Arguments*
args,
RETURN_IF_SCHEDULED_EXCEPTION(isolate);
if (!r.IsEmpty()) {
*attrs = NONE;
- return *v8::Utils::OpenHandle(*r);
+ Handle<Object> result = v8::Utils::OpenHandle(*r);
+ result->VerifyApiCallResultType();
+ return *result;
}
}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
