[ic] Don't call LookupIterator::GetStoreTarget() when receiver is not a JSReceiver.

BUG=chromium:619166,chromium:625155 Review-Url: https://codereview.chromium.org/2175273002 Cr-Commit-Position: refs/heads/master@{#38018}
2016-07-25 05:30:45 -07:00 · 2016-07-25 05:30:45 -07:00 · 5c8cb1689a
commit 5c8cb1689a
parent b54e49ae49
3 changed files with 28 additions and 4 deletions
--- a/src/lookup.h
+++ b/src/lookup.h
@ -176,6 +176,7 @@ class LookupIterator final BASE_EMBEDDED {
  Handle<Object> GetReceiver() const { return receiver_; }

  Handle<JSObject> GetStoreTarget() const {
+    DCHECK(receiver_->IsJSObject());
    if (receiver_->IsJSGlobalProxy()) {
      Map* map = JSGlobalProxy::cast(*receiver_)->map();
      if (map->has_hidden_prototype()) {
--- a/src/objects.cc
+++ b/src/objects.cc
@ -4374,15 +4374,18 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
                                    value, it->GetReceiver(), language_mode);

      case LookupIterator::INTERCEPTOR: {
-        Handle<Map> store_target_map =
-            handle(it->GetStoreTarget()->map(), it->isolate());
+        Handle<Map> store_target_map;
+        if (it->GetReceiver()->IsJSObject()) {
+          store_target_map = handle(it->GetStoreTarget()->map(), it->isolate());
+        }
        if (it->HolderIsReceiverOrHiddenPrototype()) {
          Maybe<bool> result =
              JSObject::SetPropertyWithInterceptor(it, should_throw, value);
          if (result.IsNothing() || result.FromJust()) return result;
          // Interceptor modified the store target but failed to set the
          // property.
-          Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+          Utils::ApiCheck(store_target_map.is_null() ||
+                              *store_target_map == it->GetStoreTarget()->map(),
                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
                                          : "v8::NamedPropertySetterCallback",
                          "Interceptor silently changed store target.");
@ -4395,7 +4398,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
          }
          // Interceptor modified the store target but failed to set the
          // property.
-          Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+          Utils::ApiCheck(store_target_map.is_null() ||
+                              *store_target_map == it->GetStoreTarget()->map(),
                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
                                          : "v8::NamedPropertySetterCallback",
                          "Interceptor silently changed store target.");
--- a/test/cctest/test-api-interceptors.cc
+++ b/test/cctest/test-api-interceptors.cc
@ -3292,6 +3292,25 @@ THREADED_TEST(Regress149912) {
  CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
 }

+THREADED_TEST(Regress625155) {
+  LocalContext context;
+  v8::HandleScope scope(context->GetIsolate());
+  Local<FunctionTemplate> templ = FunctionTemplate::New(context->GetIsolate());
+  AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+  context->Global()
+      ->Set(context.local(), v8_str("Bug"),
+            templ->GetFunction(context.local()).ToLocalChecked())
+      .FromJust();
+  CompileRun(
+      "Number.prototype.__proto__ = new Bug;"
+      "var x;"
+      "x = 0xdead;"
+      "x.boom = 0;"
+      "x = 's';"
+      "x.boom = 0;"
+      "x = 1.5;"
+      "x.boom = 0;");
+}

 THREADED_TEST(Regress125988) {
  v8::HandleScope scope(CcTest::isolate());