Revision: 20691
Author: [email protected]
Date: Fri Apr 11 13:16:36 2014 UTC
Log: Do not call user defined getter of Error.stackTraceLimit.
Handlify GetNormalizedProperty.
BUG=360733
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/233243005
http://code.google.com/p/v8/source/detail?r=20691
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-360733.js
Modified:
/branches/bleeding_edge/src/isolate.cc
/branches/bleeding_edge/src/objects.cc
/branches/bleeding_edge/src/objects.h
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-360733.js Fri Apr
11 13:16:36 2014 UTC
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack_size=150
+
+function f(a) {
+ f(a + 1);
+}
+
+Error.__defineGetter__('stackTraceLimit', function() { });
+try {
+ f(0);
+} catch (e) { }
=======================================
--- /branches/bleeding_edge/src/isolate.cc Fri Apr 11 12:47:34 2014 UTC
+++ /branches/bleeding_edge/src/isolate.cc Fri Apr 11 13:16:36 2014 UTC
@@ -859,9 +859,13 @@
Handle<Object> error =
GetProperty(js_builtins_object(), "$Error").ToHandleChecked();
if (!error->IsJSObject()) return Failure::Exception();
+
+ Handle<String> stackTraceLimit =
+ factory()->InternalizeUtf8String("stackTraceLimit");
+ ASSERT(!stackTraceLimit.is_null());
Handle<Object> stack_trace_limit =
- GetProperty(
-
Handle<JSObject>::cast(error), "stackTraceLimit").ToHandleChecked();
+ JSObject::GetDataProperty(Handle<JSObject>::cast(error),
+ stackTraceLimit);
if (!stack_trace_limit->IsNumber()) return Failure::Exception();
double dlimit = stack_trace_limit->Number();
int limit = std::isnan(dlimit) ? 0 : static_cast<int>(dlimit);
=======================================
--- /branches/bleeding_edge/src/objects.cc Fri Apr 11 12:47:34 2014 UTC
+++ /branches/bleeding_edge/src/objects.cc Fri Apr 11 13:16:36 2014 UTC
@@ -630,6 +630,20 @@
ASSERT(!value->IsPropertyCell() && !value->IsCell());
return value;
}
+
+
+Handle<Object> JSObject::GetNormalizedProperty(Handle<JSObject> object,
+ const LookupResult* result)
{
+ ASSERT(!object->HasFastProperties());
+ Isolate* isolate = object->GetIsolate();
+ Handle<Object> value(object->property_dictionary()->ValueAt(
+ result->GetDictionaryEntry()), isolate);
+ if (object->IsGlobalObject()) {
+ value = Handle<Object>(Handle<PropertyCell>::cast(value)->value(),
isolate);
+ }
+ ASSERT(!value->IsPropertyCell() && !value->IsCell());
+ return value;
+}
void JSObject::SetNormalizedProperty(Handle<JSObject> object,
@@ -5954,6 +5968,41 @@
ASSERT(!copy.is_identical_to(object));
return copy;
}
+
+
+Handle<Object> JSObject::GetDataProperty(Handle<JSObject> object,
+ Handle<Name> key) {
+ Isolate* isolate = object->GetIsolate();
+ LookupResult lookup(isolate);
+ {
+ DisallowHeapAllocation no_allocation;
+ object->LookupRealNamedProperty(*key, &lookup);
+ }
+ Handle<Object> result = isolate->factory()->undefined_value();
+ if (lookup.IsFound() && !lookup.IsTransition()) {
+ switch (lookup.type()) {
+ case NORMAL:
+ result = GetNormalizedProperty(
+ Handle<JSObject>(lookup.holder(), isolate), &lookup);
+ break;
+ case FIELD:
+ result = FastPropertyAt(Handle<JSObject>(lookup.holder(), isolate),
+ lookup.representation(),
+ lookup.GetFieldIndex().field_index());
+ break;
+ case CONSTANT:
+ result = Handle<Object>(lookup.GetConstant(), isolate);
+ break;
+ case CALLBACKS:
+ case HANDLER:
+ case INTERCEPTOR:
+ break;
+ case NONEXISTENT:
+ UNREACHABLE();
+ }
+ }
+ return result;
+}
// Tests for the fast common case for property enumeration:
=======================================
--- /branches/bleeding_edge/src/objects.h Fri Apr 11 12:47:34 2014 UTC
+++ /branches/bleeding_edge/src/objects.h Fri Apr 11 13:16:36 2014 UTC
@@ -2303,6 +2303,8 @@
// Retrieve a value in a normalized object given a lookup result.
// Handles the special representation of JS global objects.
Object* GetNormalizedProperty(const LookupResult* result);
+ static Handle<Object> GetNormalizedProperty(Handle<JSObject> object,
+ const LookupResult* result);
// Sets the property value in a normalized object given a lookup result.
// Handles the special representation of JS global objects.
@@ -2654,6 +2656,9 @@
static Handle<JSObject> DeepWalk(Handle<JSObject> object,
AllocationSiteCreationContext*
site_context);
+ static Handle<Object> GetDataProperty(Handle<JSObject> object,
+ Handle<Name> key);
+
// Casting.
static inline JSObject* cast(Object* obj);
=======================================
--- /branches/bleeding_edge/src/runtime.cc Fri Apr 11 12:47:34 2014 UTC
+++ /branches/bleeding_edge/src/runtime.cc Fri Apr 11 13:16:36 2014 UTC
@@ -5201,31 +5201,11 @@
// Return property without being observable by accessors or interceptors.
RUNTIME_FUNCTION(MaybeObject*, Runtime_GetDataProperty) {
- SealHandleScope shs(isolate);
+ HandleScope scope(isolate);
ASSERT(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
CONVERT_ARG_HANDLE_CHECKED(Name, key, 1);
- LookupResult lookup(isolate);
- object->LookupRealNamedProperty(*key, &lookup);
- if (lookup.IsFound() && !lookup.IsTransition()) {
- switch (lookup.type()) {
- case NORMAL:
- return lookup.holder()->GetNormalizedProperty(&lookup);
- case FIELD:
- return lookup.holder()->FastPropertyAt(
- lookup.representation(),
- lookup.GetFieldIndex().field_index());
- case CONSTANT:
- return lookup.GetConstant();
- case CALLBACKS:
- case HANDLER:
- case INTERCEPTOR:
- break;
- case NONEXISTENT:
- UNREACHABLE();
- }
- }
- return isolate->heap()->undefined_value();
+ return *JSObject::GetDataProperty(object, key);
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
