Reland "[runtime] Pass global proxy as receiver to native accessors in case of contextual access"

Based on past discussions I'm going to try to reland this change. This makes window.document and document behave the same after navigation, which is a change from what the spec says. If this works out though, it would greatly simplify the spec; and fix the fact that currently it's leaking the underlying global object, which we don't want for security and object-identity reasons. Bug: chromium:713732 Change-Id: I5ce89afb46349ff92b7f5a884a7c388fcff887bf Reviewed-on: https://chromium-review.googlesource.com/522605 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#45678}
2017-06-02 13:15:28 +02:00 · 2017-06-02 13:15:28 +02:00 · 1e813e5341
commit 1e813e5341
parent c30f09304a
2 changed files with 28 additions and 0 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -1371,6 +1371,11 @@ MaybeHandle<Object> Object::GetPropertyWithAccessor(LookupIterator* it) {
  Isolate* isolate = it->isolate();
  Handle<Object> structure = it->GetAccessors();
  Handle<Object> receiver = it->GetReceiver();
+  // In case of global IC, the receiver is the global object. Replace by the
+  // global proxy.
+  if (receiver->IsJSGlobalObject()) {
+    receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), isolate);
+  }

  // We should never get here to initialize a const with the hole value since a
  // const declaration would conflict with the getter.
@ -1463,6 +1468,11 @@ Maybe<bool> Object::SetPropertyWithAccessor(LookupIterator* it,
  Isolate* isolate = it->isolate();
  Handle<Object> structure = it->GetAccessors();
  Handle<Object> receiver = it->GetReceiver();
+  // In case of global IC, the receiver is the global object. Replace by the
+  // global proxy.
+  if (receiver->IsJSGlobalObject()) {
+    receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), isolate);
+  }

  // We should never get here to initialize a const with the hole value since a
  // const declaration would conflict with the setter.
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@ -26588,6 +26588,24 @@ TEST(SetPrototypeTemplate) {
  ExpectTrue("Image.prototype === HTMLImageElement.prototype");
 }

+void ensure_receiver_is_global_proxy(
+    v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  CHECK(v8::Utils::OpenHandle(*info.This())->IsJSGlobalProxy());
+}
+
+THREADED_TEST(GlobalAccessorInfo) {
+  v8::Isolate* isolate = CcTest::isolate();
+  v8::HandleScope scope(isolate);
+  Local<v8::ObjectTemplate> global_template = v8::ObjectTemplate::New(isolate);
+  global_template->SetAccessor(
+      v8::String::NewFromUtf8(isolate, "prop", v8::NewStringType::kInternalized)
+          .ToLocalChecked(),
+      &ensure_receiver_is_global_proxy);
+  LocalContext env(NULL, global_template);
+  CompileRun("for (var i = 0; i < 10; i++) this.prop");
+  CompileRun("for (var i = 0; i < 10; i++) prop");
+}
+
 UNINITIALIZED_TEST(IncreaseHeapLimitForDebugging) {
  using namespace i;
  v8::Isolate::CreateParams create_params;