Reviewers: Yang,
Description:
Fix casting error for receiver of interceptors.
This fixes a casting error that occured when the receiver of a missed
or uninitialized CallIC is a Smi and there is an interceptor installed
on the prototype chain.
[email protected]
BUG=chromium:144230
TEST=cctest/test-api/Regress149912
Please review this at https://chromiumcodereview.appspot.com/10914317/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects.h
M src/objects.cc
M test/cctest/test-api.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
cbef145d971a84c9c601234b0241337b3dae2f2e..d9e8b8b04d0f79781b54c2858fe4b7291608924f
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -651,11 +651,9 @@ MaybeObject* Object::GetProperty(Object* receiver,
receiver, result->GetCallbackObject(), name);
case HANDLER:
return result->proxy()->GetPropertyWithHandler(receiver, name);
- case INTERCEPTOR: {
- JSObject* recvr = JSObject::cast(receiver);
+ case INTERCEPTOR:
return result->holder()->GetPropertyWithInterceptor(
- recvr, name, attributes);
- }
+ receiver, name, attributes);
case TRANSITION:
case NONEXISTENT:
UNREACHABLE();
@@ -10483,7 +10481,7 @@ InterceptorInfo* JSObject::GetIndexedInterceptor() {
MaybeObject* JSObject::GetPropertyPostInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes) {
// Check local property in holder, ignore interceptor.
@@ -10501,7 +10499,7 @@ MaybeObject* JSObject::GetPropertyPostInterceptor(
MaybeObject* JSObject::GetLocalPropertyPostInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes) {
// Check local property in holder, ignore interceptor.
@@ -10515,13 +10513,13 @@ MaybeObject*
JSObject::GetLocalPropertyPostInterceptor(
MaybeObject* JSObject::GetPropertyWithInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes) {
Isolate* isolate = GetIsolate();
InterceptorInfo* interceptor = GetNamedInterceptor();
HandleScope scope(isolate);
- Handle<JSReceiver> receiver_handle(receiver);
+ Handle<Object> receiver_handle(receiver);
Handle<JSObject> holder_handle(this);
Handle<String> name_handle(name);
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
c2220860b779f7f9ae710adc273046f1e7aabf82..be25736b13254b42451212697d58fdf5c5aa2f3e
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -1687,15 +1687,15 @@ class JSObject: public JSReceiver {
String* name,
PropertyAttributes* attributes);
MUST_USE_RESULT MaybeObject* GetPropertyWithInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes);
MUST_USE_RESULT MaybeObject* GetPropertyPostInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes);
MUST_USE_RESULT MaybeObject* GetLocalPropertyPostInterceptor(
- JSReceiver* receiver,
+ Object* receiver,
String* name,
PropertyAttributes* attributes);
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index
7ba9e639ae26b994505959249561dcaa81575a0a..cb1a7a29dd287c220a8b3a9e0c70e3d85a50f768
100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -17469,6 +17469,16 @@ THREADED_TEST(Regress137496) {
}
+THREADED_TEST(Regress149912) {
+ v8::HandleScope scope;
+ LocalContext context;
+ Handle<FunctionTemplate> templ = FunctionTemplate::New();
+ AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+ context->Global()->Set(v8_str("Bug"), templ->GetFunction());
+ CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
+}
+
+
#ifndef WIN32
class ThreadInterruptTest {
public:
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
