[heap] Fix parameter parsing on GC builtin

Do not assume that the MaybeHandle that is returned when fetching for a property is valid and instead check for its contents. Treat an empty handle as not finding the right property. Bug: chromium:1002827 Change-Id: Iac158086ec5f66cd9602f4a73ae78de367dd3e77 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796556 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#63672}
2019-09-11 11:30:12 +02:00 · 2019-09-11 11:30:12 +02:00 · 3569a4febe
commit 3569a4febe
parent 1b5697cc9e
2 changed files with 16 additions and 1 deletions
--- a/src/extensions/gc-extension.cc
+++ b/src/extensions/gc-extension.cc
@ -28,7 +28,9 @@ bool IsProperty(v8::Isolate* isolate, v8::Local<v8::Context> ctx,
  auto k = v8::String::NewFromUtf8(isolate, key).ToLocalChecked();
  // Get will return undefined for non-existing keys which will make
  // StrictEquals fail.
-  return object->Get(ctx, k).ToLocalChecked()->StrictEquals(
+  auto maybe_property = object->Get(ctx, k);
+  if (maybe_property.IsEmpty()) return false;
+  return maybe_property.ToLocalChecked()->StrictEquals(
      v8::String::NewFromUtf8(isolate, value).ToLocalChecked());
 }

--- a/test/mjsunit/regress/regress-1002827.js
+++ b/test/mjsunit/regress/regress-1002827.js
@ -0,0 +1,13 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var PI = new Proxy(this, {
+    get() {
+        PI();
+    }
+});
+
+assertThrows(() => new gc(PI, {}), TypeError);