Skip to content

Commit 5c8cb16

Browse files
isheludkoCommit bot
isheludko
authored and
Commit bot
committed
[ic] Don't call LookupIterator::GetStoreTarget() when receiver is not a JSReceiver.
BUG=chromium:619166,chromium:625155 Review-Url: https://codereview.chromium.org/2175273002 Cr-Commit-Position: refs/heads/master@{#38018}
1 parent b54e49a commit 5c8cb16

3 files changed

Lines changed: 28 additions & 4 deletions

File tree

src/lookup.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,7 @@ class LookupIterator final BASE_EMBEDDED {
176176
Handle<Object> GetReceiver() const { return receiver_; }
177177

178178
Handle<JSObject> GetStoreTarget() const {
179+
DCHECK(receiver_->IsJSObject());
179180
if (receiver_->IsJSGlobalProxy()) {
180181
Map* map = JSGlobalProxy::cast(*receiver_)->map();
181182
if (map->has_hidden_prototype()) {

src/objects.cc

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4374,15 +4374,18 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
43744374
value, it->GetReceiver(), language_mode);
43754375

43764376
case LookupIterator::INTERCEPTOR: {
4377-
Handle<Map> store_target_map =
4378-
handle(it->GetStoreTarget()->map(), it->isolate());
4377+
Handle<Map> store_target_map;
4378+
if (it->GetReceiver()->IsJSObject()) {
4379+
store_target_map = handle(it->GetStoreTarget()->map(), it->isolate());
4380+
}
43794381
if (it->HolderIsReceiverOrHiddenPrototype()) {
43804382
Maybe<bool> result =
43814383
JSObject::SetPropertyWithInterceptor(it, should_throw, value);
43824384
if (result.IsNothing() || result.FromJust()) return result;
43834385
// Interceptor modified the store target but failed to set the
43844386
// property.
4385-
Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
4387+
Utils::ApiCheck(store_target_map.is_null() ||
4388+
*store_target_map == it->GetStoreTarget()->map(),
43864389
it->IsElement() ? "v8::IndexedPropertySetterCallback"
43874390
: "v8::NamedPropertySetterCallback",
43884391
"Interceptor silently changed store target.");
@@ -4395,7 +4398,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
43954398
}
43964399
// Interceptor modified the store target but failed to set the
43974400
// property.
4398-
Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
4401+
Utils::ApiCheck(store_target_map.is_null() ||
4402+
*store_target_map == it->GetStoreTarget()->map(),
43994403
it->IsElement() ? "v8::IndexedPropertySetterCallback"
44004404
: "v8::NamedPropertySetterCallback",
44014405
"Interceptor silently changed store target.");

test/cctest/test-api-interceptors.cc

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3292,6 +3292,25 @@ THREADED_TEST(Regress149912) {
32923292
CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
32933293
}
32943294

3295+
THREADED_TEST(Regress625155) {
3296+
LocalContext context;
3297+
v8::HandleScope scope(context->GetIsolate());
3298+
Local<FunctionTemplate> templ = FunctionTemplate::New(context->GetIsolate());
3299+
AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
3300+
context->Global()
3301+
->Set(context.local(), v8_str("Bug"),
3302+
templ->GetFunction(context.local()).ToLocalChecked())
3303+
.FromJust();
3304+
CompileRun(
3305+
"Number.prototype.__proto__ = new Bug;"
3306+
"var x;"
3307+
"x = 0xdead;"
3308+
"x.boom = 0;"
3309+
"x = 's';"
3310+
"x.boom = 0;"
3311+
"x = 1.5;"
3312+
"x.boom = 0;");
3313+
}
32953314

32963315
THREADED_TEST(Regress125988) {
32973316
v8::HandleScope scope(CcTest::isolate());

0 commit comments

Comments
 (0)