[v8-dev] Do not call user defined getter of Error.stackTraceLimit. (issue 233243005)

Fri, 11 Apr 2014 05:49:34 -0700 

Reviewers: Yang,

Message:
PTAL

Description:
Do not call user defined getter of Error.stackTraceLimit.

Handlify GetNormalizedProperty.

BUG=360733
LOG=N

Please review this at https://codereview.chromium.org/233243005/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+66, -30 lines):
  M src/isolate.cc
  M src/objects.h
  M src/objects.cc
  M src/runtime.cc
  A + test/mjsunit/regress/regress-360733.js


Index: src/isolate.cc
diff --git a/src/isolate.cc b/src/isolate.cc
index 94fee79b7658556788f4dc5f23e12ac91b7caed6..661b9e601d283c94845408fa800a2311adf4cc54 100644 
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -859,9 +859,13 @@ Failure* Isolate::StackOverflow() {
   Handle<Object> error =
       GetProperty(js_builtins_object(), "$Error").ToHandleChecked();
   if (!error->IsJSObject()) return Failure::Exception();
+
+  Handle<String> stackTraceLimit =
+      factory()->InternalizeUtf8String("stackTraceLimit");
+  ASSERT(!stackTraceLimit.is_null());
   Handle<Object> stack_trace_limit =
-      GetProperty(
- Handle<JSObject>::cast(error), "stackTraceLimit").ToHandleChecked(); 
+      JSObject::GetDataProperty(Handle<JSObject>::cast(error),
+                                stackTraceLimit);
   if (!stack_trace_limit->IsNumber()) return Failure::Exception();
   double dlimit = stack_trace_limit->Number();
   int limit = std::isnan(dlimit) ? 0 : static_cast<int>(dlimit);
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 99b5944c811d1d77199f44d5ffe7b069b9962b10..2e5930f6d412a863aaa5f5aed3acb6706e653f76 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -695,6 +695,20 @@ Object* JSObject::GetNormalizedProperty(const LookupResult* result) { 
 }


+Handle<Object> JSObject::GetNormalizedProperty(Handle<JSObject> object,
+ const LookupResult* result) { 
+  ASSERT(!object->HasFastProperties());
+  Isolate* isolate = object->GetIsolate();
+  Handle<Object> value(object->property_dictionary()->ValueAt(
+      result->GetDictionaryEntry()), isolate);
+  if (object->IsGlobalObject()) {
+ value = Handle<Object>(Handle<PropertyCell>::cast(value)->value(), isolate); 
+  }
+  ASSERT(!value->IsPropertyCell() && !value->IsCell());
+  return value;
+}
+
+
 void JSObject::SetNormalizedProperty(Handle<JSObject> object,
                                      const LookupResult* result,
                                      Handle<Object> value) {
@@ -5933,6 +5947,41 @@ Handle<JSObject> JSObject::DeepCopy(Handle<JSObject> object, 
 }


+Handle<Object> JSObject::GetDataProperty(Handle<JSObject> object,
+                                         Handle<Name> key) {
+  Isolate* isolate = object->GetIsolate();
+  LookupResult lookup(isolate);
+  {
+    DisallowHeapAllocation no_allocation;
+    object->LookupRealNamedProperty(*key, &lookup);
+  }
+  Handle<Object> result = isolate->factory()->undefined_value();
+  if (lookup.IsFound() && !lookup.IsTransition()) {
+    switch (lookup.type()) {
+      case NORMAL:
+        result = GetNormalizedProperty(
+            Handle<JSObject>(lookup.holder(), isolate), &lookup);
+        break;
+      case FIELD:
+        result = FastPropertyAt(Handle<JSObject>(lookup.holder(), isolate),
+                                lookup.representation(),
+                                lookup.GetFieldIndex().field_index());
+        break;
+      case CONSTANT:
+        result = Handle<Object>(lookup.GetConstant(), isolate);
+        break;
+      case CALLBACKS:
+      case HANDLER:
+      case INTERCEPTOR:
+        break;
+      case NONEXISTENT:
+        UNREACHABLE();
+    }
+  }
+  return result;
+}
+
+
 // Tests for the fast common case for property enumeration:
 // - This object and all prototypes has an enum cache (which means that
 //   it is no proxy, has no interceptors and needs no access checks).
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index a86017528c960b8831626d9952a33c470a4e3dcd..0dc5d62be78c0058ff87718fd4a86ae9c6609980 100644 
--- a/src/objects.h
+++ b/src/objects.h
@@ -2322,6 +2322,8 @@ class JSObject: public JSReceiver {
   // Retrieve a value in a normalized object given a lookup result.
   // Handles the special representation of JS global objects.
   Object* GetNormalizedProperty(const LookupResult* result);
+  static Handle<Object> GetNormalizedProperty(Handle<JSObject> object,
+                                              const LookupResult* result);

   // Sets the property value in a normalized object given a lookup result.
   // Handles the special representation of JS global objects.
@@ -2673,6 +2675,9 @@ class JSObject: public JSReceiver {
   static Handle<JSObject> DeepWalk(Handle<JSObject> object,
AllocationSiteCreationContext* site_context); 

+  static Handle<Object> GetDataProperty(Handle<JSObject> object,
+                                        Handle<Name> key);
+
   // Casting.
   static inline JSObject* cast(Object* obj);

Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index 53b18e8e178a5c1f003301d469c74db0a5e694e5..dc4bc9cd0fa1a7daa01be54e03bfb77757690385 100644 
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5201,31 +5201,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DefineOrRedefineDataProperty) { 

 // Return property without being observable by accessors or interceptors.
 RUNTIME_FUNCTION(MaybeObject*, Runtime_GetDataProperty) {
-  SealHandleScope shs(isolate);
+  HandleScope scope(isolate);
   ASSERT(args.length() == 2);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
   CONVERT_ARG_HANDLE_CHECKED(Name, key, 1);
-  LookupResult lookup(isolate);
-  object->LookupRealNamedProperty(*key, &lookup);
-  if (lookup.IsFound() && !lookup.IsTransition()) {
-    switch (lookup.type()) {
-      case NORMAL:
-        return lookup.holder()->GetNormalizedProperty(&lookup);
-      case FIELD:
-        return lookup.holder()->FastPropertyAt(
-            lookup.representation(),
-            lookup.GetFieldIndex().field_index());
-      case CONSTANT:
-        return lookup.GetConstant();
-      case CALLBACKS:
-      case HANDLER:
-      case INTERCEPTOR:
-        break;
-      case NONEXISTENT:
-        UNREACHABLE();
-    }
-  }
-  return isolate->heap()->undefined_value();
+  return *JSObject::GetDataProperty(object, key);
 }


Index: test/mjsunit/regress/regress-360733.js
diff --git a/test/mjsunit/regress/regress-347542.js b/test/mjsunit/regress/regress-360733.js 
similarity index 56%
copy from test/mjsunit/regress/regress-347542.js
copy to test/mjsunit/regress/regress-360733.js
index 901d798fb7fbea45f0d9f3d8ba6c7a9846bf6dd6..172cc00696dcdaad6bd5ae62bd3a9226b219f546 100644 
--- a/test/mjsunit/regress/regress-347542.js
+++ b/test/mjsunit/regress/regress-360733.js
@@ -2,10 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Flags: --allow-natives-syntax
+// Flags: --stack_size=150

-function foo() {}
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
-%NeverOptimizeFunction(foo);
+function __f_9(a) { __f_9(a+1); }
+Error.__defineGetter__('stackTraceLimit', function() { });
+  __f_9(0);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to