Fix casting error for receiver of interceptors.

This fixes a casting error that occured when the receiver of a missed or uninitialized CallIC is a Smi and there is an interceptor installed on the prototype chain. R=yangguo@chromium.org BUG=chromium:149912 TEST=cctest/test-api/Regress149912 Review URL: https://codereview.chromium.org/10914317 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12531 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-17 14:39:10 +00:00 · 2012-09-17 14:39:10 +00:00 · 86fd161fdc
commit 86fd161fdc
parent 783d10197a
3 changed files with 19 additions and 11 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -651,11 +651,9 @@ MaybeObject* Object::GetProperty(Object* receiver,
          receiver, result->GetCallbackObject(), name);
    case HANDLER:
      return result->proxy()->GetPropertyWithHandler(receiver, name);
-    case INTERCEPTOR: {
-      JSObject* recvr = JSObject::cast(receiver);
+    case INTERCEPTOR:
      return result->holder()->GetPropertyWithInterceptor(
-          recvr, name, attributes);
-    }
+          receiver, name, attributes);
    case TRANSITION:
    case NONEXISTENT:
      UNREACHABLE();
@ -10483,7 +10481,7 @@ InterceptorInfo* JSObject::GetIndexedInterceptor() {


 MaybeObject* JSObject::GetPropertyPostInterceptor(
-    JSReceiver* receiver,
+    Object* receiver,
    String* name,
    PropertyAttributes* attributes) {
  // Check local property in holder, ignore interceptor.
@ -10501,7 +10499,7 @@ MaybeObject* JSObject::GetPropertyPostInterceptor(


 MaybeObject* JSObject::GetLocalPropertyPostInterceptor(
-    JSReceiver* receiver,
+    Object* receiver,
    String* name,
    PropertyAttributes* attributes) {
  // Check local property in holder, ignore interceptor.
@ -10515,13 +10513,13 @@ MaybeObject* JSObject::GetLocalPropertyPostInterceptor(


 MaybeObject* JSObject::GetPropertyWithInterceptor(
-    JSReceiver* receiver,
+    Object* receiver,
    String* name,
    PropertyAttributes* attributes) {
  Isolate* isolate = GetIsolate();
  InterceptorInfo* interceptor = GetNamedInterceptor();
  HandleScope scope(isolate);
-  Handle<JSReceiver> receiver_handle(receiver);
+  Handle<Object> receiver_handle(receiver);
  Handle<JSObject> holder_handle(this);
  Handle<String> name_handle(name);

--- a/src/objects.h
+++ b/src/objects.h
@ -1687,15 +1687,15 @@ class JSObject: public JSReceiver {
      String* name,
      PropertyAttributes* attributes);
  MUST_USE_RESULT MaybeObject* GetPropertyWithInterceptor(
-      JSReceiver* receiver,
+      Object* receiver,
      String* name,
      PropertyAttributes* attributes);
  MUST_USE_RESULT MaybeObject* GetPropertyPostInterceptor(
-      JSReceiver* receiver,
+      Object* receiver,
      String* name,
      PropertyAttributes* attributes);
  MUST_USE_RESULT MaybeObject* GetLocalPropertyPostInterceptor(
-      JSReceiver* receiver,
+      Object* receiver,
      String* name,
      PropertyAttributes* attributes);

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@ -17469,6 +17469,16 @@ THREADED_TEST(Regress137496) {
 }


+THREADED_TEST(Regress149912) {
+  v8::HandleScope scope;
+  LocalContext context;
+  Handle<FunctionTemplate> templ = FunctionTemplate::New();
+  AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+  context->Global()->Set(v8_str("Bug"), templ->GetFunction());
+  CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
+}
+
+
 #ifndef WIN32
 class ThreadInterruptTest {
 public: