AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[objects] Remove dangerous arguments accessors.

Browse Source 
This removes dangerous accessors method from the arguments object
accessor classes. The shape of an arguments object might transition,
turning the fields into dictionary mode, making the accessors invalid.

It also fixes a bug in the reported number of embedder fields on the
arguments object.

R=ishell@chromium.org
TEST=cctest/test-api/InternalFieldsOfRegularObjects

Change-Id: Ib7a73608c6236fe8864434e0cfdcb754ae012a75
Reviewed-on: https://chromium-review.googlesource.com/636368
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47643}
This commit is contained in:
Michael Starzinger 2017-08-28 13:43:18 +02:00 committed by Commit Bot
parent b4712d52ea
commit a33b0d2509
5 changed files with 31 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/objects-debug.cc
View File

@ -470,29 +470,25 @@ void TransitionArray::TransitionArrayVerify() {
void JSArgumentsObject::JSArgumentsObjectVerify() {
if (IsSloppyArgumentsElementsKind(GetElementsKind())) {
JSSloppyArgumentsObject::cast(this)->JSSloppyArgumentsObjectVerify();
SloppyArgumentsElements::cast(elements())
->SloppyArgumentsElementsVerify(this);
}
JSObjectVerify();
}
void JSSloppyArgumentsObject::JSSloppyArgumentsObjectVerify() {
Isolate* isolate = GetIsolate();
if (isolate->IsInAnyContext(map(), Context::SLOPPY_ARGUMENTS_MAP_INDEX) ||
isolate->IsInAnyContext(map(),
Context::SLOW_ALIASED_ARGUMENTS_MAP_INDEX) ||
isolate->IsInAnyContext(map(),
Context::FAST_ALIASED_ARGUMENTS_MAP_INDEX)) {
VerifyObjectField(kLengthOffset);
VerifyObjectField(kCalleeOffset);
VerifyObjectField(JSSloppyArgumentsObject::kLengthOffset);
VerifyObjectField(JSSloppyArgumentsObject::kCalleeOffset);
} else if (isolate->IsInAnyContext(map(),
Context::STRICT_ARGUMENTS_MAP_INDEX)) {
VerifyObjectField(JSStrictArgumentsObject::kLengthOffset);
}
ElementsKind kind = GetElementsKind();
CHECK(IsSloppyArgumentsElementsKind(kind));
SloppyArgumentsElements::cast(elements())
->SloppyArgumentsElementsVerify(this);
JSObjectVerify();
}
void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
JSSloppyArgumentsObject* holder) {
void SloppyArgumentsElements::SloppyArgumentsElementsVerify(JSObject* holder) {
Isolate* isolate = GetIsolate();
FixedArrayVerify();
// Abort verification if only partially initialized (can't use arguments()

2
src/objects.cc
View File

@ -1385,7 +1385,7 @@ int JSObject::GetHeaderSize(InstanceType type) {
case JS_MESSAGE_OBJECT_TYPE:
return JSMessageObject::kSize;
case JS_ARGUMENTS_TYPE:
return JSArgumentsObject::kHeaderSize;
return JSObject::kHeaderSize;
case JS_ERROR_TYPE:
return JSObject::kHeaderSize;
case JS_STRING_ITERATOR_TYPE:

4
src/objects/arguments-inl.h
View File

@ -15,12 +15,8 @@ namespace internal {
CAST_ACCESSOR(AliasedArgumentsEntry)
CAST_ACCESSOR(JSArgumentsObject)
CAST_ACCESSOR(JSSloppyArgumentsObject)
CAST_ACCESSOR(SloppyArgumentsElements)
ACCESSORS(JSArgumentsObject, length, Object, kLengthOffset);
ACCESSORS(JSSloppyArgumentsObject, callee, Object, kCalleeOffset);
SMI_ACCESSORS(AliasedArgumentsEntry, aliased_context_slot, kAliasedContextSlot)
TYPE_CHECKER(JSArgumentsObject, JS_ARGUMENTS_TYPE)

20
src/objects/arguments.h
View File

@ -14,16 +14,17 @@ namespace v8 {
namespace internal {
// Common superclass for JSSloppyArgumentsObject and JSStrictArgumentsObject.
// Note that the instance type {JS_ARGUMENTS_TYPE} does _not_ guarantee the
// below layout, the in-object properties might have transitioned to dictionary
// mode already. Only use the below layout with the specific initial maps.
class JSArgumentsObject : public JSObject {
public:
// Offsets of object fields.
static const int kLengthOffset = JSObject::kHeaderSize;
static const int kHeaderSize = kLengthOffset + kPointerSize;
static const int kSize = kLengthOffset + kPointerSize;
// Indices of in-object properties.
static const int kLengthIndex = 0;
DECL_ACCESSORS(length, Object)
DECL_VERIFIER(JSArgumentsObject)
DECL_CAST(JSArgumentsObject)
@ -36,16 +37,11 @@ class JSArgumentsObject : public JSObject {
class JSSloppyArgumentsObject : public JSArgumentsObject {
public:
// Offsets of object fields.
static const int kCalleeOffset = JSArgumentsObject::kHeaderSize;
static const int kCalleeOffset = JSArgumentsObject::kSize;
static const int kSize = kCalleeOffset + kPointerSize;
// Indices of in-object properties.
static const int kCalleeIndex = kLengthIndex + 1;
DECL_ACCESSORS(callee, Object)
DECL_VERIFIER(JSSloppyArgumentsObject)
DECL_CAST(JSSloppyArgumentsObject)
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(JSSloppyArgumentsObject);
};
@ -55,9 +51,7 @@ class JSSloppyArgumentsObject : public JSArgumentsObject {
class JSStrictArgumentsObject : public JSArgumentsObject {
public:
// Offsets of object fields.
static const int kSize = JSArgumentsObject::kHeaderSize;
DECL_CAST(JSStrictArgumentsObject)
static const int kSize = JSArgumentsObject::kSize;
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(JSStrictArgumentsObject);
@ -100,7 +94,7 @@ class SloppyArgumentsElements : public FixedArray {
DECL_CAST(SloppyArgumentsElements)
#ifdef VERIFY_HEAP
void SloppyArgumentsElementsVerify(JSSloppyArgumentsObject* holder);
void SloppyArgumentsElementsVerify(JSObject* holder);
#endif
private:

14
test/cctest/test-api.cc
View File

@ -2699,6 +2699,20 @@ THREADED_TEST(InternalFields) {
CHECK_EQ(17, obj->GetInternalField(0)->Int32Value(env.local()).FromJust());
}
THREADED_TEST(InternalFieldsOfRegularObjects) {
LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope scope(isolate);
const char* sources[] = {"new Object()", "{ a: 'a property' }", "arguments"};
for (size_t i = 0; i < arraysize(sources); ++i) {
i::ScopedVector<char> source(128);
i::SNPrintF(source, "(function() { return %s })()", sources[i]);
v8::Local<v8::Object> obj = CompileRun(source.start()).As<v8::Object>();
CHECK_EQ(0, obj->InternalFieldCount());
}
}
THREADED_TEST(GlobalObjectInternalFields) {
v8::Isolate* isolate = CcTest::isolate();
v8::HandleScope scope(isolate);