From 49d951d043bad54baccc8159b64b79faf457b484 Mon Sep 17 00:00:00 2001 From: "ulan@chromium.org" Date: Fri, 11 Apr 2014 13:16:36 +0000 Subject: [PATCH] Do not call user defined getter of Error.stackTraceLimit. Handlify GetNormalizedProperty. BUG=360733 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/233243005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/isolate.cc | 8 ++++-- src/objects.cc | 49 ++++++++++++++++++++++++++++++++++ src/objects.h | 5 ++++ src/runtime.cc | 24 ++--------------- test/mjsunit/regress/regress-360733.js | 14 ++++++++++ 5 files changed, 76 insertions(+), 24 deletions(-) create mode 100644 test/mjsunit/regress/regress-360733.js diff --git a/src/isolate.cc b/src/isolate.cc index 076bb89..3b38422 100644 --- a/src/isolate.cc +++ b/src/isolate.cc @@ -859,9 +859,13 @@ Failure* Isolate::StackOverflow() { Handle error = GetProperty(js_builtins_object(), "$Error").ToHandleChecked(); if (!error->IsJSObject()) return Failure::Exception(); + + Handle stackTraceLimit = + factory()->InternalizeUtf8String("stackTraceLimit"); + ASSERT(!stackTraceLimit.is_null()); Handle stack_trace_limit = - GetProperty( - Handle::cast(error), "stackTraceLimit").ToHandleChecked(); + JSObject::GetDataProperty(Handle::cast(error), + stackTraceLimit); if (!stack_trace_limit->IsNumber()) return Failure::Exception(); double dlimit = stack_trace_limit->Number(); int limit = std::isnan(dlimit) ? 0 : static_cast(dlimit); diff --git a/src/objects.cc b/src/objects.cc index d886d1a..85ca44e 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -632,6 +632,20 @@ Object* JSObject::GetNormalizedProperty(const LookupResult* result) { } +Handle JSObject::GetNormalizedProperty(Handle object, + const LookupResult* result) { + ASSERT(!object->HasFastProperties()); + Isolate* isolate = object->GetIsolate(); + Handle value(object->property_dictionary()->ValueAt( + result->GetDictionaryEntry()), isolate); + if (object->IsGlobalObject()) { + value = Handle(Handle::cast(value)->value(), isolate); + } + ASSERT(!value->IsPropertyCell() && !value->IsCell()); + return value; +} + + void JSObject::SetNormalizedProperty(Handle object, const LookupResult* result, Handle value) { @@ -5956,6 +5970,41 @@ Handle JSObject::DeepCopy(Handle object, } +Handle JSObject::GetDataProperty(Handle object, + Handle key) { + Isolate* isolate = object->GetIsolate(); + LookupResult lookup(isolate); + { + DisallowHeapAllocation no_allocation; + object->LookupRealNamedProperty(*key, &lookup); + } + Handle result = isolate->factory()->undefined_value(); + if (lookup.IsFound() && !lookup.IsTransition()) { + switch (lookup.type()) { + case NORMAL: + result = GetNormalizedProperty( + Handle(lookup.holder(), isolate), &lookup); + break; + case FIELD: + result = FastPropertyAt(Handle(lookup.holder(), isolate), + lookup.representation(), + lookup.GetFieldIndex().field_index()); + break; + case CONSTANT: + result = Handle(lookup.GetConstant(), isolate); + break; + case CALLBACKS: + case HANDLER: + case INTERCEPTOR: + break; + case NONEXISTENT: + UNREACHABLE(); + } + } + return result; +} + + // Tests for the fast common case for property enumeration: // - This object and all prototypes has an enum cache (which means that // it is no proxy, has no interceptors and needs no access checks). diff --git a/src/objects.h b/src/objects.h index 554cc73..634fbcd 100644 --- a/src/objects.h +++ b/src/objects.h @@ -2303,6 +2303,8 @@ class JSObject: public JSReceiver { // Retrieve a value in a normalized object given a lookup result. // Handles the special representation of JS global objects. Object* GetNormalizedProperty(const LookupResult* result); + static Handle GetNormalizedProperty(Handle object, + const LookupResult* result); // Sets the property value in a normalized object given a lookup result. // Handles the special representation of JS global objects. @@ -2654,6 +2656,9 @@ class JSObject: public JSReceiver { static Handle DeepWalk(Handle object, AllocationSiteCreationContext* site_context); + static Handle GetDataProperty(Handle object, + Handle key); + // Casting. static inline JSObject* cast(Object* obj); diff --git a/src/runtime.cc b/src/runtime.cc index b93f957..4f34085 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -5201,31 +5201,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DefineOrRedefineDataProperty) { // Return property without being observable by accessors or interceptors. RUNTIME_FUNCTION(MaybeObject*, Runtime_GetDataProperty) { - SealHandleScope shs(isolate); + HandleScope scope(isolate); ASSERT(args.length() == 2); CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0); CONVERT_ARG_HANDLE_CHECKED(Name, key, 1); - LookupResult lookup(isolate); - object->LookupRealNamedProperty(*key, &lookup); - if (lookup.IsFound() && !lookup.IsTransition()) { - switch (lookup.type()) { - case NORMAL: - return lookup.holder()->GetNormalizedProperty(&lookup); - case FIELD: - return lookup.holder()->FastPropertyAt( - lookup.representation(), - lookup.GetFieldIndex().field_index()); - case CONSTANT: - return lookup.GetConstant(); - case CALLBACKS: - case HANDLER: - case INTERCEPTOR: - break; - case NONEXISTENT: - UNREACHABLE(); - } - } - return isolate->heap()->undefined_value(); + return *JSObject::GetDataProperty(object, key); } diff --git a/test/mjsunit/regress/regress-360733.js b/test/mjsunit/regress/regress-360733.js new file mode 100644 index 0000000..28f73ea --- /dev/null +++ b/test/mjsunit/regress/regress-360733.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --stack_size=150 + +function f(a) { + f(a + 1); +} + +Error.__defineGetter__('stackTraceLimit', function() { }); +try { + f(0); +} catch (e) { } -- 2.7.4