src/prototype.h - Issue 1542583003: [proxies] Limit recursive proxy prototype lookups to 100'000

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/prototype.h

Issue 1542583003: [proxies] Limit recursive proxy prototype lookups to 100'000 (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: adding constant and test Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/prototype.h

diff --git a/src/prototype.h b/src/prototype.h

index ea3495569ee9b6be0364137fe59859f726323edb..ad3d59d7770d98bc0a293afbb37e46a546f56f8b 100644

--- a/src/prototype.h

+++ b/src/prototype.h

@@ -28,12 +28,15 @@ class PrototypeIterator {

enum WhereToEnd { END_AT_NULL, END_AT_NON_HIDDEN };

+ const int kProxyPrototypeLimit = 100 * 1000;

PrototypeIterator(Isolate* isolate, Handle<Object> receiver,

WhereToStart where_to_start = START_AT_PROTOTYPE)

: did_jump_to_prototype_chain_(false),

object_(NULL),

handle_(receiver),

- isolate_(isolate) {

+ isolate_(isolate),

+ seen_proxies_(0) {

CHECK(!handle_.is_null());

if (where_to_start == START_AT_PROTOTYPE) {

Advance();

@@ -44,7 +47,8 @@ class PrototypeIterator {

WhereToStart where_to_start = START_AT_PROTOTYPE)

: did_jump_to_prototype_chain_(false),

object_(receiver),

- isolate_(isolate) {

+ isolate_(isolate),

+ seen_proxies_(0) {

if (where_to_start == START_AT_PROTOTYPE) {

Advance();

}

@@ -127,14 +131,22 @@ class PrototypeIterator {

handle_ = isolate_->factory()->null_value();

return true;

}

- if (!handle_.is_null() && handle_->IsJSProxy()) {

- did_jump_to_prototype_chain_ = true;

- MaybeHandle<Object> proto =

- JSProxy::GetPrototype(Handle<JSProxy>::cast(handle_));

- return proto.ToHandle(&handle_);

+ if (handle_.is_null() || !handle_->IsJSProxy()) {

+ AdvanceIgnoringProxies();

+ return true;

}

- AdvanceIgnoringProxies();

- return true;

+ // Due to possible __proto__ recursion limit the number of Proxies

+ // we visit to an arbitrarily chosen large number.

+ seen_proxies_++;

+ if (seen_proxies_ > kProxyPrototypeLimit) {

+ isolate_->Throw(

+ *isolate_->factory()->NewRangeError(MessageTemplate::kStackOverflow));

+ return false;

+ }

+ did_jump_to_prototype_chain_ = true;

+ MaybeHandle<Object> proto =

+ JSProxy::GetPrototype(Handle<JSProxy>::cast(handle_));

+ return proto.ToHandle(&handle_);

}

bool IsAtEnd(WhereToEnd where_to_end = END_AT_NULL) const {

@@ -166,6 +178,7 @@ class PrototypeIterator {

Object* object_;

Handle<Object> handle_;

Isolate* isolate_;

+ int seen_proxies_;

DISALLOW_COPY_AND_ASSIGN(PrototypeIterator);

};

« no previous file with comments | « no previous file | test/mjsunit/es6/instanceof-proxies.js » ('j') | no next file with comments »