Fix for Proxy leaking in toString

toString on JS Proxies are leaking, see this sample code: undefined[Function.prototype.toString] undefined[new Proxy(Function.prototype.toString, {})] This change fixes the behavior. Patch credits to Yusif <yusif.khudhur@gmail.com> Change-Id: Id82a0a5c245469973452a3e6609cb91978274b8e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739980 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#73625}
2021-03-12 17:55:47 +01:00 · 2021-03-12 17:55:47 +01:00 · 40e499cd28
commit 40e499cd28
parent 9ca7465157
3 changed files with 10 additions and 0 deletions
--- a/2
+++ b/2
@ -167,6 +167,7 @@ Milton Chiang <milton.chiang@mediatek.com>
 Mu Tao <pamilty@gmail.com>
 Myeong-bo Shim <m0609.shim@samsung.com>
 Nicolas Antonius Ernst Leopold Maria Kaiser <nikai@nikai.net>
+Niek van der Maas <mail@niekvandermaas.nl>
 Niklas Hambüchen <mail@nh2.me>
 Noj Vek <nojvek@gmail.com>
 Oleksandr Chekhovskyi <oleksandr.chekhovskyi@gmail.com>
@ -235,6 +236,7 @@ Yi Wang <wangyi8848@gmail.com>
 Yong Wang <ccyongwang@tencent.com>
 Youfeng Hao <ajihyf@gmail.com>
 Yu Yin <xwafish@gmail.com>
+Yusif Khudhur <yusif.khudhur@gmail.com>
 Zac Hansen <xaxxon@gmail.com>
 Zeynep Cankara <zeynepcankara402@gmail.com>
 Zhao Jiazhong <kyslie3100@gmail.com>
--- a/src/objects/objects.cc
+++ b/src/objects/objects.cc
@ -461,6 +461,9 @@ Handle<String> Object::NoSideEffectsToString(Isolate* isolate,

  if (input->IsString() || input->IsNumber() || input->IsOddball()) {
    return Object::ToString(isolate, input).ToHandleChecked();
+  } else if (input->IsJSProxy()) {
+    HeapObject target = Handle<JSProxy>::cast(input)->target(isolate);
+    return NoSideEffectsToString(isolate, Handle<Object>(target, isolate));
  } else if (input->IsBigInt()) {
    MaybeHandle<String> maybe_string =
        BigInt::ToString(isolate, Handle<BigInt>::cast(input), 10, kDontThrow);
--- a/test/cctest/test-object.cc
+++ b/test/cctest/test-object.cc
@ -77,6 +77,11 @@ TEST(NoSideEffectsToString) {
              "Error: fisk hest");
  CheckObject(isolate, factory->NewJSObject(isolate->object_function()),
              "#<Object>");
+  CheckObject(
+      isolate,
+      factory->NewJSProxy(factory->NewJSObject(isolate->object_function()),
+                          factory->NewJSObject(isolate->object_function())),
+      "#<Object>");
 }

 TEST(EnumCache) {