From 92b895a76160eb9dde532ba316d9f54a68a0179a Mon Sep 17 00:00:00 2001 From: "adamk@chromium.org" Date: Mon, 12 May 2014 08:49:51 +0000 Subject: [PATCH] Harden %SetIsObserved with RUNTIME_ASSERTs Now throws if its argument is already observed, or if the argument is the global proxy. BUG=371782 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/274163002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21256 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/runtime.cc | 6 +++--- test/mjsunit/es7/object-observe-runtime.js | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/es7/object-observe-runtime.js diff --git a/src/runtime.cc b/src/runtime.cc index 143b870..ac8f6eb 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -14855,9 +14855,9 @@ RUNTIME_FUNCTION(Runtime_SetIsObserved) { HandleScope scope(isolate); ASSERT(args.length() == 1); CONVERT_ARG_HANDLE_CHECKED(JSReceiver, obj, 0); - ASSERT(!obj->IsJSGlobalProxy()); - if (obj->IsJSProxy()) - return isolate->heap()->undefined_value(); + RUNTIME_ASSERT(!obj->IsJSGlobalProxy()); + if (obj->IsJSProxy()) return isolate->heap()->undefined_value(); + RUNTIME_ASSERT(!obj->map()->is_observed()); ASSERT(obj->IsJSObject()); JSObject::SetObserved(Handle::cast(obj)); diff --git a/test/mjsunit/es7/object-observe-runtime.js b/test/mjsunit/es7/object-observe-runtime.js new file mode 100644 index 0000000..769cd1b --- /dev/null +++ b/test/mjsunit/es7/object-observe-runtime.js @@ -0,0 +1,18 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +// These tests are meant to ensure that that the Object.observe runtime +// functions are hardened. + +var obj = {}; +%SetIsObserved(obj); +assertThrows(function() { + %SetIsObserved(obj); +}); + +assertThrows(function() { + %SetIsObserved(this); +}); -- 2.7.4