From: kmillikin@chromium.org Date: Mon, 11 Jul 2011 14:07:12 +0000 (+0000) Subject: Fix a potential crash in const declaration. X-Git-Tag: upstream/4.7.83~18926 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=890bc1607a503e2c87a89f69b38a5ee7654aa22e;p=platform%2Fupstream%2Fv8.git Fix a potential crash in const declaration. Declaration of const lookup slots would trigger an assertion if there was a setter somewhere in the prototype chain, and that setter was shadowed by a non-readonly data property also in the prototype chain. R=ager@chromium.org BUG= TEST= Review URL: http://codereview.chromium.org/7324048 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8602 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/objects.cc b/src/objects.cc index 640fa8e..ca780db 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -1883,13 +1883,9 @@ void JSObject::LookupCallbackSetterInPrototypes(String* name, pt = pt->GetPrototype()) { JSObject::cast(pt)->LocalLookupRealNamedProperty(name, result); if (result->IsProperty()) { - if (result->IsReadOnly()) { - result->NotFound(); - return; - } - if (result->type() == CALLBACKS) { - return; - } + if (result->type() == CALLBACKS && !result->IsReadOnly()) return; + // Found non-callback or read-only callback, stop looking. + break; } } result->NotFound(); @@ -2273,10 +2269,10 @@ MUST_USE_RESULT PropertyAttributes JSProxy::GetPropertyAttributeWithHandler( MaybeObject* JSObject::SetPropertyForResult(LookupResult* result, - String* name, - Object* value, - PropertyAttributes attributes, - StrictModeFlag strict_mode) { + String* name, + Object* value, + PropertyAttributes attributes, + StrictModeFlag strict_mode) { Heap* heap = GetHeap(); // Make sure that the top context does not change when doing callbacks or // interceptor calls. diff --git a/test/mjsunit/regress/regress-88591.js b/test/mjsunit/regress/regress-88591.js new file mode 100644 index 0000000..e42570a --- /dev/null +++ b/test/mjsunit/regress/regress-88591.js @@ -0,0 +1,42 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Regression test for a crash. A data property in the global object's +// prototype shadowed by a setter in the global object's prototype's +// prototype would crash or assert when seen by Runtime_DeclareContextSlot. +var called = false; +Object.prototype.__defineSetter__('x', function(x) { called = true; }); +Object.prototype.__defineGetter__('x', function () { return 0; }); + +this.__proto__ = { x: 1 }; + +try { fail; } catch (e) { eval('const x = 2'); } + +var o = Object.getOwnPropertyDescriptor(this, 'x'); +assertFalse(called); +assertEquals(2, o.value); +assertEquals(false, o.writable);