Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(378)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 1036743004: add access checks to receivers on function callbacks (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/hydrogen.cc » ('j') | src/objects.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/v8.h" 5 #include "src/v8.h"
6 6
7 #include "src/api.h" 7 #include "src/api.h"
8 #include "src/api-natives.h" 8 #include "src/api-natives.h"
9 #include "src/arguments.h" 9 #include "src/arguments.h"
10 #include "src/base/once.h" 10 #include "src/base/once.h"
(...skipping 1026 matching lines...) Expand 10 before | Expand all | Expand 10 after
1037 ASSIGN_RETURN_ON_EXCEPTION( 1037 ASSIGN_RETURN_ON_EXCEPTION(
1038 isolate, fun_data, 1038 isolate, fun_data,
1039 ApiNatives::ConfigureInstance(isolate, fun_data, 1039 ApiNatives::ConfigureInstance(isolate, fun_data,
1040 Handle<JSObject>::cast(args.receiver())), 1040 Handle<JSObject>::cast(args.receiver())),
1041 Object); 1041 Object);
1042 } 1042 }
1043 1043
1044 DCHECK(!args[0]->IsNull()); 1044 DCHECK(!args[0]->IsNull());
1045 if (args[0]->IsUndefined()) args[0] = function->global_proxy(); 1045 if (args[0]->IsUndefined()) args[0] = function->global_proxy();
1046 1046
1047 Object* raw_holder = fun_data->GetCompatibleReceiver(isolate, args[0]); 1047 Handle<Object> receiver(&args[0]);
1048 Handle<Object> raw_holder =
1049 fun_data->GetCompatibleReceiver(isolate, receiver, is_construct);
1048 1050
1049 if (raw_holder->IsNull()) { 1051 if (raw_holder->IsNull()) {
1050 // This function cannot be called with the given receiver. Abort! 1052 // This function cannot be called with the given receiver. Abort!
1051 THROW_NEW_ERROR( 1053 THROW_NEW_ERROR(
1052 isolate, NewTypeError("illegal_invocation", HandleVector(&function, 1)), 1054 isolate, NewTypeError("illegal_invocation", HandleVector(&function, 1)),
1053 Object); 1055 Object);
1054 } 1056 }
1055 1057
1056 Object* raw_call_data = fun_data->call_code(); 1058 Object* raw_call_data = fun_data->call_code();
1057 if (!raw_call_data->IsUndefined()) { 1059 if (!raw_call_data->IsUndefined()) {
1058 // TODO(ishell): remove this debugging code. 1060 // TODO(ishell): remove this debugging code.
1059 CHECK(raw_call_data->IsCallHandlerInfo()); 1061 CHECK(raw_call_data->IsCallHandlerInfo());
1060 CallHandlerInfo* call_data = CallHandlerInfo::cast(raw_call_data); 1062 CallHandlerInfo* call_data = CallHandlerInfo::cast(raw_call_data);
1061 Object* callback_obj = call_data->callback(); 1063 Object* callback_obj = call_data->callback();
1062 v8::FunctionCallback callback = 1064 v8::FunctionCallback callback =
1063 v8::ToCData<v8::FunctionCallback>(callback_obj); 1065 v8::ToCData<v8::FunctionCallback>(callback_obj);
1064 Object* data_obj = call_data->data(); 1066 Object* data_obj = call_data->data();
1065 1067
1066 LOG(isolate, ApiObjectAccess("call", JSObject::cast(*args.receiver()))); 1068 LOG(isolate, ApiObjectAccess("call", JSObject::cast(*args.receiver())));
1067 DCHECK(raw_holder->IsJSObject()); 1069 DCHECK(raw_holder->IsJSObject());
1068 1070
1069 FunctionCallbackArguments custom(isolate, 1071 FunctionCallbackArguments custom(isolate, data_obj, *function, *raw_holder,
1070 data_obj, 1072 &args[0] - 1, args.length() - 1,
1071 *function,
1072 raw_holder,
1073 &args[0] - 1,
1074 args.length() - 1,
1075 is_construct); 1073 is_construct);
1076 1074
1077 v8::Handle<v8::Value> value = custom.Call(callback); 1075 v8::Handle<v8::Value> value = custom.Call(callback);
1078 Handle<Object> result; 1076 Handle<Object> result;
1079 if (value.IsEmpty()) { 1077 if (value.IsEmpty()) {
1080 result = isolate->factory()->undefined_value(); 1078 result = isolate->factory()->undefined_value();
1081 } else { 1079 } else {
1082 result = v8::Utils::OpenHandle(*value); 1080 result = v8::Utils::OpenHandle(*value);
1083 result->VerifyApiCallResultType(); 1081 result->VerifyApiCallResultType();
1084 } 1082 }
(...skipping 555 matching lines...) Expand 10 before | Expand all | Expand 10 after
1640 } 1638 }
1641 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) 1639 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C)
1642 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) 1640 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A)
1643 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H) 1641 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H)
1644 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 1642 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
1645 #undef DEFINE_BUILTIN_ACCESSOR_C 1643 #undef DEFINE_BUILTIN_ACCESSOR_C
1646 #undef DEFINE_BUILTIN_ACCESSOR_A 1644 #undef DEFINE_BUILTIN_ACCESSOR_A
1647 1645
1648 1646
1649 } } // namespace v8::internal 1647 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | src/hydrogen.cc » ('j') | src/objects.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698