LookupIterator should find private symbols on JSProxies

src/lookup.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/lookup.h"
 
 #include "src/bootstrapper.h"
 #include "src/deoptimizer.h"
 #include "src/elements.h"
 #include "src/isolate-inl.h"
@@ skipping 252 matching lines @@
   Handle<JSObject> receiver = GetStoreTarget();
   if (receiver->IsJSGlobalObject()) return;
   holder_ = receiver;
   holder_map_ = transition_map();
   JSObject::MigrateToMap(receiver, holder_map_);
   ReloadPropertyInformation();
 }
 
 
 void LookupIterator::Delete() {
-  Handle<JSObject> holder = Handle<JSObject>::cast(holder_);
+  Handle<JSReceiver> holder = Handle<JSReceiver>::cast(holder_);
   if (IsElement()) {
-    ElementsAccessor* accessor = holder->GetElementsAccessor();
-    accessor->Delete(holder, number_);
+    Handle<JSObject> object = Handle<JSObject>::cast(holder);
+    ElementsAccessor* accessor = object->GetElementsAccessor();
+    accessor->Delete(object, number_);
   } else {
     PropertyNormalizationMode mode = holder->map()->is_prototype_map()
                                          ? KEEP_INOBJECT_PROPERTIES
                                          : CLEAR_INOBJECT_PROPERTIES;
 
     if (holder->HasFastProperties()) {
-      JSObject::NormalizeProperties(holder, mode, 0, "DeletingProperty");
+      JSObject::NormalizeProperties(Handle<JSObject>::cast(holder), mode, 0,
+                                    "DeletingProperty");
       holder_map_ = handle(holder->map(), isolate_);
       ReloadPropertyInformation();
     }
     // TODO(verwaest): Get rid of the name_ argument.
-    JSObject::DeleteNormalizedProperty(holder, name_, number_);
-    JSObject::ReoptimizeIfPrototype(holder);
+    JSReceiver::DeleteNormalizedProperty(holder, name_, number_);
+    if (holder->IsJSObject()) {
+      JSObject::ReoptimizeIfPrototype(Handle<JSObject>::cast(holder));
+    }
   }
 }
 
 
 void LookupIterator::TransitionToAccessorProperty(
     AccessorComponent component, Handle<Object> accessor,
     PropertyAttributes attributes) {
   DCHECK(!accessor->IsNull());
   // Can only be called when the receiver is a JSObject. JSProxy has to be
   // handled via a trap. Adding properties to primitive values is not
@@ skipping 106 matching lines @@
     if (iter.GetCurrent<JSReceiver>() == holder) return true;
     DCHECK(!current->IsJSProxy());
     iter.Advance();
   } while (!iter.IsAtEnd(PrototypeIterator::END_AT_NON_HIDDEN));
   return false;
 }
 
 
 Handle<Object> LookupIterator::FetchValue() const {
   Object* result = NULL;
-  Handle<JSObject> holder = GetHolder<JSObject>();
   if (IsElement()) {
+    Handle<JSObject> holder = GetHolder<JSObject>();
     // TODO(verwaest): Optimize.
     if (holder->IsStringObjectWithCharacterAt(index_)) {
       Handle<JSValue> js_value = Handle<JSValue>::cast(holder);
       Handle<String> string(String::cast(js_value->value()));
       return factory()->LookupSingleCharacterStringFromCode(
           String::Flatten(string)->Get(index_));
     }
 
     ElementsAccessor* accessor = holder->GetElementsAccessor();
     return accessor->Get(handle(holder->elements()), number_);
   } else if (holder_map_->IsJSGlobalObjectMap()) {
+    Handle<JSObject> holder = GetHolder<JSObject>();
     result = holder->global_dictionary()->ValueAt(number_);
     DCHECK(result->IsPropertyCell());
     result = PropertyCell::cast(result)->value();
   } else if (holder_map_->is_dictionary_map()) {
-    result = holder->property_dictionary()->ValueAt(number_);
+    result = holder_->property_dictionary()->ValueAt(number_);
   } else if (property_details_.type() == v8::internal::DATA) {
+    Handle<JSObject> holder = GetHolder<JSObject>();
     FieldIndex field_index = FieldIndex::ForDescriptor(*holder_map_, number_);
     return JSObject::FastPropertyAt(holder, property_details_.representation(),
                                     field_index);
   } else {
     result = holder_map_->instance_descriptors()->GetValue(number_);
   }
   return handle(result, isolate_);
 }
 
 
@@ skipping 54 matching lines @@
 
 Handle<Object> LookupIterator::GetDataValue() const {
   DCHECK_EQ(DATA, state_);
   Handle<Object> value = FetchValue();
   return value;
 }
 
 
 void LookupIterator::WriteDataValue(Handle<Object> value) {
   DCHECK_EQ(DATA, state_);
-  Handle<JSObject> holder = GetHolder<JSObject>();
+  Handle<JSReceiver> holder = GetHolder<JSReceiver>();
   if (IsElement()) {
-    ElementsAccessor* accessor = holder->GetElementsAccessor();
-    accessor->Set(holder->elements(), number_, *value);
+    Handle<JSObject> object = Handle<JSObject>::cast(holder);
+    ElementsAccessor* accessor = object->GetElementsAccessor();
+    accessor->Set(object->elements(), number_, *value);
   } else if (holder->IsJSGlobalObject()) {
     Handle<GlobalDictionary> property_dictionary =
-        handle(holder->global_dictionary());
+        handle(JSObject::cast(*holder)->global_dictionary());
     PropertyCell::UpdateCell(property_dictionary, dictionary_entry(), value,
                              property_details_);
   } else if (holder_map_->is_dictionary_map()) {
     NameDictionary* property_dictionary = holder->property_dictionary();
     property_dictionary->ValueAtPut(dictionary_entry(), *value);
   } else if (property_details_.type() == v8::internal::DATA) {
-    holder->WriteToField(descriptor_number(), *value);
+    JSObject::cast(*holder)->WriteToField(descriptor_number(), *value);
   } else {
     DCHECK_EQ(v8::internal::DATA_CONSTANT, property_details_.type());
   }
 }
 
 
 bool LookupIterator::IsIntegerIndexedExotic(JSReceiver* holder) {
   DCHECK(exotic_index_state_ != ExoticIndexState::kNotExotic);
   if (exotic_index_state_ == ExoticIndexState::kExotic) return true;
   if (!InternalHolderIsReceiverOrHiddenPrototype()) {
@@ skipping 71 matching lines @@
                                                      JSReceiver* const holder) {
   STATIC_ASSERT(INTERCEPTOR == BEFORE_PROPERTY);
   DisallowHeapAllocation no_gc;
   if (interceptor_state_ == InterceptorState::kProcessNonMasking) {
     return LookupNonMaskingInterceptorInHolder(map, holder);
   }
   switch (state_) {
     case NOT_FOUND:
       if (map->IsJSProxyMap()) {
         // Do not leak private property names.
-        if (!name_.is_null() && name_->IsPrivate()) return NOT_FOUND;
-        return JSPROXY;
+        if (IsElement() || !name_->IsPrivate()) return JSPROXY;
       }
       if (map->is_access_check_needed() &&
           (IsElement() || !isolate_->IsInternallyUsedPropertyName(name_))) {
         return ACCESS_CHECK;
       }
     // Fall through.
     case ACCESS_CHECK:
       if (exotic_index_state_ != ExoticIndexState::kNotExotic &&
           holder->IsJSTypedArray() && IsIntegerIndexedExotic(holder)) {
         return INTEGER_INDEXED_EXOTIC;
@@ skipping 35 matching lines @@
       } else if (map->IsJSGlobalObjectMap()) {
         GlobalDictionary* dict = JSObject::cast(holder)->global_dictionary();
         int number = dict->FindEntry(name_);
         if (number == GlobalDictionary::kNotFound) return NOT_FOUND;
         number_ = static_cast<uint32_t>(number);
         DCHECK(dict->ValueAt(number_)->IsPropertyCell());
         PropertyCell* cell = PropertyCell::cast(dict->ValueAt(number_));
         if (cell->value()->IsTheHole()) return NOT_FOUND;
         property_details_ = cell->property_details();
       } else {
-        NameDictionary* dict = JSObject::cast(holder)->property_dictionary();
+        NameDictionary* dict = holder->property_dictionary();
         int number = dict->FindEntry(name_);
         if (number == NameDictionary::kNotFound) return NOT_FOUND;
         number_ = static_cast<uint32_t>(number);
         property_details_ = dict->DetailsAt(number_);
       }
       has_property_ = true;
       switch (property_details_.kind()) {
         case v8::internal::kData:
           return DATA;
         case v8::internal::kAccessor:
@@ skipping 23 matching lines @@
     // Fall through.
     default:
       return NOT_FOUND;
   }
   UNREACHABLE();
   return state_;
 }
 
 }  // namespace internal
 }  // namespace v8