Revision: 12531 Author: [email protected] Date: Mon Sep 17 07:39:10 2012 Log: Fix casting error for receiver of interceptors.
This fixes a casting error that occured when the receiver of a missed or uninitialized CallIC is a Smi and there is an interceptor installed on the prototype chain. [email protected] BUG=chromium:149912 TEST=cctest/test-api/Regress149912 Review URL: https://codereview.chromium.org/10914317 http://code.google.com/p/v8/source/detail?r=12531 Modified: /branches/bleeding_edge/src/objects.cc /branches/bleeding_edge/src/objects.h /branches/bleeding_edge/test/cctest/test-api.cc ======================================= --- /branches/bleeding_edge/src/objects.cc Fri Sep 14 08:10:31 2012 +++ /branches/bleeding_edge/src/objects.cc Mon Sep 17 07:39:10 2012 @@ -651,11 +651,9 @@ receiver, result->GetCallbackObject(), name); case HANDLER: return result->proxy()->GetPropertyWithHandler(receiver, name); - case INTERCEPTOR: { - JSObject* recvr = JSObject::cast(receiver); + case INTERCEPTOR: return result->holder()->GetPropertyWithInterceptor( - recvr, name, attributes); - } + receiver, name, attributes); case TRANSITION: case NONEXISTENT: UNREACHABLE(); @@ -10483,7 +10481,7 @@ MaybeObject* JSObject::GetPropertyPostInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes) { // Check local property in holder, ignore interceptor. @@ -10501,7 +10499,7 @@ MaybeObject* JSObject::GetLocalPropertyPostInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes) { // Check local property in holder, ignore interceptor. @@ -10515,13 +10513,13 @@ MaybeObject* JSObject::GetPropertyWithInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes) { Isolate* isolate = GetIsolate(); InterceptorInfo* interceptor = GetNamedInterceptor(); HandleScope scope(isolate); - Handle<JSReceiver> receiver_handle(receiver); + Handle<Object> receiver_handle(receiver); Handle<JSObject> holder_handle(this); Handle<String> name_handle(name); ======================================= --- /branches/bleeding_edge/src/objects.h Fri Sep 14 08:10:31 2012 +++ /branches/bleeding_edge/src/objects.h Mon Sep 17 07:39:10 2012 @@ -1687,15 +1687,15 @@ String* name, PropertyAttributes* attributes); MUST_USE_RESULT MaybeObject* GetPropertyWithInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes); MUST_USE_RESULT MaybeObject* GetPropertyPostInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes); MUST_USE_RESULT MaybeObject* GetLocalPropertyPostInterceptor( - JSReceiver* receiver, + Object* receiver, String* name, PropertyAttributes* attributes); ======================================= --- /branches/bleeding_edge/test/cctest/test-api.cc Mon Sep 17 02:58:22 2012 +++ /branches/bleeding_edge/test/cctest/test-api.cc Mon Sep 17 07:39:10 2012 @@ -17467,6 +17467,16 @@ CompileRun("try { throw new Error(); } finally { gc(); }"); CHECK(try_catch.HasCaught()); } + + +THREADED_TEST(Regress149912) { + v8::HandleScope scope; + LocalContext context; + Handle<FunctionTemplate> templ = FunctionTemplate::New(); + AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter); + context->Global()->Set(v8_str("Bug"), templ->GetFunction()); + CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();"); +} #ifndef WIN32 -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
