Google Git
Sign in
chromium / v8 / v8 / 72657cda42e7055755c4cacceeafd34626440d26^! / .
commit72657cda42e7055755c4cacceeafd34626440d26[log] [tgz]
authorJochen Eisinger <jochen@chromium.org>Tue Jun 28 07:27:18 2016
committerJochen Eisinger <jochen@chromium.org>Tue Jun 28 07:31:22 2016
treeb2e313bba292a4f34e976828a203442a18492203
parent559143978207787f4976404d66c30e8a70fb9580 [diff]
Version 5.2.361.26 (cherry-pick)

Merged 2c8ca9ad09281d4138ae363566051e45afd0838c

Make sure api interceptors don't change the store target w/o storing

BUG=chromium:619166
LOG=N
TBR=verwaest@chromium.org

Review URL: https://codereview.chromium.org/2101983002 .

Cr-Commit-Position: refs/branch-heads/5.2@{#32}
Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1}
Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332}

diff --git a/include/v8-version.h b/include/v8-version.h
index 777cd2c..28201fb 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 5
 #define V8_MINOR_VERSION 2
 #define V8_BUILD_NUMBER 361
-#define V8_PATCH_LEVEL 25
+#define V8_PATCH_LEVEL 26
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/src/objects.cc b/src/objects.cc
index 26fa6a0..addf97a 100644
--- a/src/objects.cc
+++ b/src/objects.cc

@@ -4290,23 +4290,38 @@
         return JSProxy::SetProperty(it->GetHolder<JSProxy>(), it->GetName(),
                                     value, it->GetReceiver(), language_mode);
 
-      case LookupIterator::INTERCEPTOR:
+      case LookupIterator::INTERCEPTOR: {
+        Handle<Map> store_target_map =
+            handle(it->GetStoreTarget()->map(), it->isolate());
         if (it->HolderIsReceiverOrHiddenPrototype()) {
           Maybe<bool> result =
               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
           if (result.IsNothing() || result.FromJust()) return result;
+          // Interceptor modified the store target but failed to set the
+          // property.
+          Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
+                                          : "v8::NamedPropertySetterCallback",
+                          "Interceptor silently changed store target.");
         } else {
           Maybe<PropertyAttributes> maybe_attributes =
               JSObject::GetPropertyAttributesWithInterceptor(it);
           if (!maybe_attributes.IsJust()) return Nothing<bool>();
-          if (maybe_attributes.FromJust() == ABSENT) break;
           if ((maybe_attributes.FromJust() & READ_ONLY) != 0) {
             return WriteToReadOnlyProperty(it, value, should_throw);
           }
+          // Interceptor modified the store target but failed to set the
+          // property.
+          Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
+                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
+                                          : "v8::NamedPropertySetterCallback",
+                          "Interceptor silently changed store target.");
+          if (maybe_attributes.FromJust() == ABSENT) break;
           *found = false;
           return Nothing<bool>();
         }
         break;
+      }
 
       case LookupIterator::ACCESSOR: {
         if (it->IsReadOnly()) {