From 3acc00a0176af5d36f251cd993f49e5db938553f Mon Sep 17 00:00:00 2001
From: jgruber <jgruber@chromium.org>
Date: Mon, 20 Feb 2017 03:48:10 -0800
Subject: [PATCH] [regexp] Fix smi receiver in stack accessors

info.This returns a Local<Object>, which results in a call to
Utils::OpenHandle<JSReceiver>.  Casting to a Local<Value> first uses the
correct OpenHandle<Object> overload.

BUG=chromium:693500

Review-Url: https://codereview.chromium.org/2706833002
Cr-Commit-Position: refs/heads/master@{#43314}
---
 src/accessors.cc                       | 7 ++++---
 test/mjsunit/regress/regress-693500.js | 5 +++++
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-693500.js

diff --git a/src/accessors.cc b/src/accessors.cc
index d6fa4fea8c..1f2ce97240 100644
--- a/src/accessors.cc
+++ b/src/accessors.cc
@@ -1202,7 +1202,8 @@ void Accessors::ErrorStackGetter(
   // If stack is still an accessor (this could have changed in the meantime
   // since FormatStackTrace can execute arbitrary JS), replace it with a data
   // property.
-  Handle<Object> receiver = Utils::OpenHandle(*info.This());
+  Handle<Object> receiver =
+      Utils::OpenHandle(*v8::Local<v8::Value>(info.This()));
   Handle<Name> name = Utils::OpenHandle(*key);
   if (IsAccessor(receiver, name, holder)) {
     result = ReplaceAccessorWithDataProperty(isolate, receiver, holder, name,
@@ -1228,8 +1229,8 @@ void Accessors::ErrorStackSetter(
     const v8::PropertyCallbackInfo<v8::Boolean>& info) {
   i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
   HandleScope scope(isolate);
-  Handle<JSObject> obj =
-      Handle<JSObject>::cast(Utils::OpenHandle(*info.This()));
+  Handle<JSObject> obj = Handle<JSObject>::cast(
+      Utils::OpenHandle(*v8::Local<v8::Value>(info.This())));
 
   // Clear internal properties to avoid memory leaks.
   Handle<Symbol> stack_trace_symbol = isolate->factory()->stack_trace_symbol();
diff --git a/test/mjsunit/regress/regress-693500.js b/test/mjsunit/regress/regress-693500.js
new file mode 100644
index 0000000000..89b80882b2
--- /dev/null
+++ b/test/mjsunit/regress/regress-693500.js
@@ -0,0 +1,5 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Reflect.get(new Error(), "stack", 0);