Reland "[runtime] Pass global proxy as receiver to native accessors in case of contextual access"

Based on past discussions I'm going to try to reland this change. This makes window.document and document behave the same after navigation, which is a change from what the spec says. If this works out though, it would greatly simplify the spec; and fix the fact that currently it's leaking the underlying global object, which we don't want for security and object-identity reasons. Bug: chromium:713732 Change-Id: I835ef510fc78f04c602434a7cec6420e027c4012 Reviewed-on: https://chromium-review.googlesource.com/520764 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#45654}
2017-06-01 10:11:49 +02:00 · 2017-06-01 10:11:49 +02:00 · ba8a753947
commit ba8a753947
parent c72d64cb53
2 changed files with 28 additions and 0 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -1371,6 +1371,11 @@ MaybeHandle<Object> Object::GetPropertyWithAccessor(LookupIterator* it) {
  Isolate* isolate = it->isolate();
  Handle<Object> structure = it->GetAccessors();
  Handle<Object> receiver = it->GetReceiver();
+  // In case of global IC, the receiver is the global object. Replace by the
+  // global proxy.
+  if (receiver->IsJSGlobalObject()) {
+    receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), isolate);
+  }

  // We should never get here to initialize a const with the hole value since a
  // const declaration would conflict with the getter.
@ -1463,6 +1468,11 @@ Maybe<bool> Object::SetPropertyWithAccessor(LookupIterator* it,
  Isolate* isolate = it->isolate();
  Handle<Object> structure = it->GetAccessors();
  Handle<Object> receiver = it->GetReceiver();
+  // In case of global IC, the receiver is the global object. Replace by the
+  // global proxy.
+  if (receiver->IsJSGlobalObject()) {
+    receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), isolate);
+  }

  // We should never get here to initialize a const with the hole value since a
  // const declaration would conflict with the setter.
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@ -26588,6 +26588,24 @@ TEST(SetPrototypeTemplate) {
  ExpectTrue("Image.prototype === HTMLImageElement.prototype");
 }

+void ensure_receiver_is_global_proxy(
+    v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  CHECK(v8::Utils::OpenHandle(*info.This())->IsJSGlobalProxy());
+}
+
+THREADED_TEST(GlobalAccessorInfo) {
+  v8::Isolate* isolate = CcTest::isolate();
+  v8::HandleScope scope(isolate);
+  Local<v8::ObjectTemplate> global_template = v8::ObjectTemplate::New(isolate);
+  global_template->SetAccessor(
+      v8::String::NewFromUtf8(isolate, "prop", v8::NewStringType::kInternalized)
+          .ToLocalChecked(),
+      &ensure_receiver_is_global_proxy);
+  LocalContext env(NULL, global_template);
+  CompileRun("for (var i = 0; i < 10; i++) this.prop");
+  CompileRun("for (var i = 0; i < 10; i++) prop");
+}
+
 UNINITIALIZED_TEST(IncreaseHeapLimitForDebugging) {
  using namespace i;
  v8::Isolate::CreateParams create_params;