Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(50)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/objects.cc

Issue 1492923002: [proxies] do not leak private symbols to proxy traps (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: More tests + cleanup fix Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | test/mjsunit/harmony/proxies-define-property.js » ('j') | test/mjsunit/harmony/proxies-define-property.js » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 3f028c62824a35653bdc4ef03b265f6eedd4413e..8bc0a63da210d1894156de0fab05a64cbb7ec391 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -723,6 +723,9 @@ MaybeHandle<Object> JSProxy::GetProperty(Isolate* isolate,
Handle<Name> name,
Handle<Object> receiver,
LanguageMode language_mode) {
+ // Do not delegate to trap for internal slots
+ if (name->IsPrivate()) return isolate->factory()->undefined_value();
+
Handle<Name> trap_name = isolate->factory()->get_string();
// 1. Assert: IsPropertyKey(P) is true.
// 2. Let handler be the value of the [[ProxyHandler]] internal slot of O.
@@ -733,6 +736,7 @@ MaybeHandle<Object> JSProxy::GetProperty(Isolate* isolate,
NewTypeError(MessageTemplate::kProxyRevoked, trap_name),
Object);
}
+
// 4. Assert: Type(handler) is Object.
DCHECK(handler->IsJSReceiver());
DCHECK(proxy->target()->IsJSReceiver());
@@ -4574,6 +4578,9 @@ Handle<Map> JSObject::GetElementsTransitionMap(Handle<JSObject> object,
Maybe<bool> JSProxy::HasProperty(Isolate* isolate, Handle<JSProxy> proxy,
Handle<Name> name) {
+ // Do not delegate to trap for internal slots
+ if (name->IsPrivate()) return Just(false);
+
// 1. (Assert)
// 2. Let handler be the value of the [[ProxyHandler]] internal slot of O.
Handle<Object> handler(proxy->handler(), isolate);
@@ -4583,6 +4590,7 @@ Maybe<bool> JSProxy::HasProperty(Isolate* isolate, Handle<JSProxy> proxy,
MessageTemplate::kProxyRevoked, isolate->factory()->has_string()));
return Nothing<bool>();
}
+
// 4. Assert: Type(handler) is Object.
DCHECK(handler->IsJSReceiver());
DCHECK(proxy->target()->IsJSReceiver());
@@ -4641,6 +4649,9 @@ Maybe<bool> JSProxy::HasProperty(Isolate* isolate, Handle<JSProxy> proxy,
Maybe<bool> JSProxy::SetProperty(Handle<JSProxy> proxy, Handle<Name> name,
Handle<Object> value, Handle<Object> receiver,
LanguageMode language_mode) {
+ // Do not delegate to trap for internal slots
+ if (name->IsPrivate()) return Just(false);
+
Isolate* isolate = proxy->GetIsolate();
Factory* factory = isolate->factory();
Handle<String> trap_name = factory->set_string();
@@ -4703,6 +4714,9 @@ Maybe<bool> JSProxy::SetProperty(Handle<JSProxy> proxy, Handle<Name> name,
Maybe<bool> JSProxy::DeletePropertyOrElement(Handle<JSProxy> proxy,
Handle<Name> name,
LanguageMode language_mode) {
+ // Do not delegate to trap for internal slots
+ if (name->IsPrivate()) return Just(true);
+
ShouldThrow should_throw =
is_sloppy(language_mode) ? DONT_THROW : THROW_ON_ERROR;
Isolate* isolate = proxy->GetIsolate();
@@ -6806,6 +6820,9 @@ bool JSArray::ArraySetLength(Isolate* isolate, Handle<JSArray> a,
bool JSProxy::DefineOwnProperty(Isolate* isolate, Handle<JSProxy> proxy,
Handle<Object> key, PropertyDescriptor* desc,
ShouldThrow should_throw) {
+ // Do not delegate to trap for internal slots
+ if (key->IsSymbol() && Symbol::cast(*key)->is_private()) return false;
+
Handle<String> trap_name = isolate->factory()->defineProperty_string();
// 1. Assert: IsPropertyKey(P) is true.
DCHECK(key->IsName() || key->IsNumber());
@@ -6817,6 +6834,7 @@ bool JSProxy::DefineOwnProperty(Isolate* isolate, Handle<JSProxy> proxy,
MessageTemplate::kProxyRevoked, trap_name));
return false;
}
+
// 4. Assert: Type(handler) is Object.
DCHECK(handler->IsJSReceiver());
// If the handler is not null, the target can't be null either.
@@ -6990,6 +7008,9 @@ bool JSReceiver::GetOwnPropertyDescriptor(LookupIterator* it,
bool JSProxy::GetOwnPropertyDescriptor(Isolate* isolate, Handle<JSProxy> proxy,
Handle<Name> name,
PropertyDescriptor* desc) {
+ // Do not delegate to trap for internal slots
+ if (name->IsPrivate()) return false;
+
Handle<String> trap_name =
isolate->factory()->getOwnPropertyDescriptor_string();
// 1. (Assert)
« no previous file with comments | « no previous file | test/mjsunit/harmony/proxies-define-property.js » ('j') | test/mjsunit/harmony/proxies-define-property.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698