Check for validity when accessing call site objects in runtime.

R=jkummerow@chromium.org BUG=chromium:528379 LOG=N Review URL: https://codereview.chromium.org/1404613002 Cr-Commit-Position: refs/heads/master@{#31233}
2015-10-13 03:53:06 -07:00 · 2015-10-13 03:53:06 -07:00 · 82b30828bd
commit 82b30828bd
parent 2633401137
4 changed files with 16 additions and 2 deletions
--- a/src/messages.cc
+++ b/src/messages.cc
@ -144,10 +144,13 @@ base::SmartArrayPointer<char> MessageHandler::GetLocalizedMessage(

 CallSite::CallSite(Isolate* isolate, Handle<JSObject> call_site_obj)
    : isolate_(isolate) {
+  Handle<Object> maybe_function = JSObject::GetDataProperty(
+      call_site_obj, isolate->factory()->call_site_function_symbol());
+  if (!maybe_function->IsJSFunction()) return;
+
+  fun_ = Handle<JSFunction>::cast(maybe_function);
  receiver_ = JSObject::GetDataProperty(
      call_site_obj, isolate->factory()->call_site_receiver_symbol());
-  fun_ = Handle<JSFunction>::cast(JSObject::GetDataProperty(
-      call_site_obj, isolate->factory()->call_site_function_symbol()));
  pos_ = Handle<Smi>::cast(JSObject::GetDataProperty(
                               call_site_obj,
                               isolate->factory()->call_site_position_symbol()))
--- a/src/messages.h
+++ b/src/messages.h
@ -62,6 +62,8 @@ class CallSite {
  bool IsEval();
  bool IsConstructor();

+  bool IsValid() { return !fun_.is_null(); }
+
 private:
  Isolate* isolate_;
  Handle<Object> receiver_;
--- a/src/runtime/runtime-internal.cc
+++ b/src/runtime/runtime-internal.cc
@ -318,6 +318,7 @@ RUNTIME_FUNCTION(Runtime_FormatMessageString) {
    CONVERT_ARG_HANDLE_CHECKED(JSObject, call_site_obj, 0); \
    Handle<String> result;                                  \
    CallSite call_site(isolate, call_site_obj);             \
+    RUNTIME_ASSERT(call_site.IsValid())                     \
    return RETURN(call_site.NAME(), isolate);               \
  }

--- a/test/mjsunit/regress-crbug-528379.js
+++ b/test/mjsunit/regress-crbug-528379.js
@ -0,0 +1,8 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+Error.prepareStackTrace = function(e, frames) { return frames; }
+assertThrows(function() { new Error().stack[0].getMethodName.call({}); });