Make sure api interceptors don't change the store target w/o storing
BUG=chromium:619166
R=verwaest@chromium.org
Review-Url: https://codereview.chromium.org/2082633002
Cr-Commit-Position: refs/heads/master@{#37152}
diff --git a/src/objects.cc b/src/objects.cc
index 480c675..2d5bb26 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4307,23 +4307,38 @@
return JSProxy::SetProperty(it->GetHolder<JSProxy>(), it->GetName(),
value, it->GetReceiver(), language_mode);
- case LookupIterator::INTERCEPTOR:
+ case LookupIterator::INTERCEPTOR: {
+ Handle<Map> store_target_map =
+ handle(it->GetStoreTarget()->map(), it->isolate());
if (it->HolderIsReceiverOrHiddenPrototype()) {
Maybe<bool> result =
JSObject::SetPropertyWithInterceptor(it, should_throw, value);
if (result.IsNothing() || result.FromJust()) return result;
+ // Interceptor modified the store target but failed to set the
+ // property.
+ Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+ it->IsElement() ? "v8::IndexedPropertySetterCallback"
+ : "v8::NamedPropertySetterCallback",
+ "Interceptor silently changed store target.");
} else {
Maybe<PropertyAttributes> maybe_attributes =
JSObject::GetPropertyAttributesWithInterceptor(it);
if (!maybe_attributes.IsJust()) return Nothing<bool>();
- if (maybe_attributes.FromJust() == ABSENT) break;
if ((maybe_attributes.FromJust() & READ_ONLY) != 0) {
return WriteToReadOnlyProperty(it, value, should_throw);
}
+ // Interceptor modified the store target but failed to set the
+ // property.
+ Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+ it->IsElement() ? "v8::IndexedPropertySetterCallback"
+ : "v8::NamedPropertySetterCallback",
+ "Interceptor silently changed store target.");
+ if (maybe_attributes.FromJust() == ABSENT) break;
*found = false;
return Nothing<bool>();
}
break;
+ }
case LookupIterator::ACCESSOR: {
if (it->IsReadOnly()) {
