Check that receiver is JSObject on API calls.

R=sgjesse@chromium.org
BUG=v8:1369
TEST=mjsunit/regress/regress-1369.js

Review URL: http://codereview.chromium.org/6931056

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/builtins.cc b/src/builtins.cc
index 377de057a3e054b35fb17b54875187ee58701910..f473559638f1c1a5b261cdc88ac0234254dc1f99 100644 (file)
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1026,6 +1026,8 @@ static inline Object* TypeCheck(Heap* heap,
                                 Object** argv,
                                 FunctionTemplateInfo* info) {
   Object* recv = argv[0];
+  // API calls are only supported with JSObject receivers.
+  if (!recv->IsJSObject()) return heap->null_value();
   Object* sig_obj = info->signature();
   if (sig_obj->IsUndefined()) return recv;
   SignatureInfo* sig = SignatureInfo::cast(sig_obj);

diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index f48d5b49ffadc54b54f791ea6736c2fbdd5b155e..ab94085a95f0da53624a80c4b0edede4310bfb00 100644 (file)
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -14391,3 +14391,20 @@ THREADED_TEST(AllowCodeGenFromStrings) {
   V8::SetAllowCodeGenerationFromStringsCallback(&CodeGenerationDisallowed);
   CheckCodeGenerationDisallowed();
 }
+
+
+static v8::Handle<Value> NonObjectThis(const v8::Arguments& args) {
+  return v8::Undefined();
+}
+
+
+THREADED_TEST(CallAPIFunctionOnNonObject) {
+  v8::HandleScope scope;
+  LocalContext context;
+  Handle<FunctionTemplate> templ = v8::FunctionTemplate::New(NonObjectThis);
+  Handle<Function> function = templ->GetFunction();
+  context->Global()->Set(v8_str("f"), function);
+  TryCatch try_catch;
+  CompileRun("f.call(2)");
+  CHECK(try_catch.HasCaught());
+}

diff --git a/test/mjsunit/regress/regress-1369.js b/test/mjsunit/regress/regress-1369.js
new file mode 100644 (file)
index 0000000..f18e37b
--- /dev/null
+++ b/test/mjsunit/regress/regress-1369.js
@@ -0,0 +1,31 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --expose-gc
+
+assertThrows('gc.call(1)');
+assertThrows('gc.call("asdf")');