Pass in the original receiver to avoid use-after-return issues

src/builtins.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/builtins.h"
 
 #include "src/api-arguments.h"
 #include "src/api-natives.h"
 #include "src/api.h"
 #include "src/base/ieee754.h"
@@ skipping 5130 matching lines @@
     JSObject* current = iter.GetCurrent<JSObject>();
     if (signature->IsTemplateFor(current)) return current;
   }
   return nullptr;
 }
 
 template <bool is_construct>
 MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
     Isolate* isolate, Handle<HeapObject> function,
     Handle<HeapObject> new_target, Handle<FunctionTemplateInfo> fun_data,
-    BuiltinArguments args) {
-  Handle<JSObject> receiver;
+    Handle<Object> receiver, BuiltinArguments args) {
+  Handle<JSObject> js_receiver;
   JSObject* raw_holder;
   if (is_construct) {
     DCHECK(args.receiver()->IsTheHole(isolate));
     if (fun_data->instance_template()->IsUndefined(isolate)) {
       v8::Local<ObjectTemplate> templ =
           ObjectTemplate::New(reinterpret_cast<v8::Isolate*>(isolate),
                               ToApiHandle<v8::FunctionTemplate>(fun_data));
       fun_data->set_instance_template(*Utils::OpenHandle(*templ));
     }
     Handle<ObjectTemplateInfo> instance_template(
         ObjectTemplateInfo::cast(fun_data->instance_template()), isolate);
     ASSIGN_RETURN_ON_EXCEPTION(
-        isolate, receiver,
+        isolate, js_receiver,
         ApiNatives::InstantiateObject(instance_template,
                                       Handle<JSReceiver>::cast(new_target)),
         Object);
-    args[0] = *receiver;
-    DCHECK_EQ(*receiver, *args.receiver());
+    args[0] = *js_receiver;
+    DCHECK_EQ(*js_receiver, *args.receiver());
 
-    raw_holder = *receiver;
+    raw_holder = *js_receiver;
   } else {
-    DCHECK(args.receiver()->IsJSReceiver());
+    DCHECK(receiver->IsJSReceiver());
 
-    Handle<JSReceiver> object = args.at<JSReceiver>(0);
-    if (!object->IsJSObject()) {
+    if (!receiver->IsJSObject()) {
       // This function cannot be called with the given receiver.  Abort!
       THROW_NEW_ERROR(
           isolate, NewTypeError(MessageTemplate::kIllegalInvocation), Object);
     }
 
-    receiver = Handle<JSObject>::cast(object);
+    js_receiver = Handle<JSObject>::cast(receiver);
 
-    if (!fun_data->accept_any_receiver() && receiver->IsAccessCheckNeeded() &&
-        !isolate->MayAccess(handle(isolate->context()), receiver)) {
-      isolate->ReportFailedAccessCheck(receiver);
+    if (!fun_data->accept_any_receiver() &&
+        js_receiver->IsAccessCheckNeeded() &&
+        !isolate->MayAccess(handle(isolate->context()), js_receiver)) {
+      isolate->ReportFailedAccessCheck(js_receiver);
       RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
     }
 
-    raw_holder = GetCompatibleReceiver(isolate, *fun_data, *receiver);
+    raw_holder = GetCompatibleReceiver(isolate, *fun_data, *js_receiver);
 
     if (raw_holder == nullptr) {
       // This function cannot be called with the given receiver.  Abort!
       THROW_NEW_ERROR(
           isolate, NewTypeError(MessageTemplate::kIllegalInvocation), Object);
     }
   }
 
   Object* raw_call_data = fun_data->call_code();
   if (!raw_call_data->IsUndefined(isolate)) {
     DCHECK(raw_call_data->IsCallHandlerInfo());
     CallHandlerInfo* call_data = CallHandlerInfo::cast(raw_call_data);
     Object* callback_obj = call_data->callback();
     v8::FunctionCallback callback =
         v8::ToCData<v8::FunctionCallback>(callback_obj);
     Object* data_obj = call_data->data();
 
-    LOG(isolate, ApiObjectAccess("call", JSObject::cast(*args.receiver())));
+    LOG(isolate, ApiObjectAccess("call", JSObject::cast(*js_receiver)));
 
     FunctionCallbackArguments custom(isolate, data_obj, *function, raw_holder,
                                      *new_target, &args[0] - 1,
                                      args.length() - 1);
 
     Handle<Object> result = custom.Call(callback);
 
     RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
     if (result.is_null()) {
-      if (is_construct) return receiver;
+      if (is_construct) return js_receiver;
       return isolate->factory()->undefined_value();
     }
     // Rebox the result.
     result->VerifyApiCallResultType();
     if (!is_construct || result->IsJSObject()) return handle(*result, isolate);
   }
 
-  return receiver;
+  return js_receiver;
 }
 
 }  // namespace
 
 
 BUILTIN(HandleApiCall) {
   HandleScope scope(isolate);
   Handle<JSFunction> function = args.target<JSFunction>();
+  Handle<Object> receiver = args.receiver();
   Handle<HeapObject> new_target = args.new_target();
   Handle<FunctionTemplateInfo> fun_data(function->shared()->get_api_func_data(),
                                         isolate);
   if (new_target->IsJSReceiver()) {
     RETURN_RESULT_OR_FAILURE(
         isolate, HandleApiCallHelper<true>(isolate, function, new_target,
-                                           fun_data, args));
+                                           fun_data, receiver, args));
   } else {
     RETURN_RESULT_OR_FAILURE(
         isolate, HandleApiCallHelper<false>(isolate, function, new_target,
-                                            fun_data, args));
+                                            fun_data, receiver, args));
   }
 }
 
 
 Handle<Code> Builtins::CallFunction(ConvertReceiverMode mode,
                                     TailCallMode tail_call_mode) {
   switch (tail_call_mode) {
     case TailCallMode::kDisallow:
       switch (mode) {
         case ConvertReceiverMode::kNullOrUndefined:
@@ skipping 125 matching lines @@
   argv[argc + 2] = *receiver;
   for (int i = 0; i < argc; ++i) {
     argv[argc - i + 1] = *args[i];
   }
   argv[1] = *function;
   argv[0] = *new_target;
   MaybeHandle<Object> result;
   {
     RelocatableArguments arguments(isolate, argc + 3, &argv[argc] + 2);
     result = HandleApiCallHelper<false>(isolate, function, new_target, fun_data,
-                                        arguments);
+                                        receiver, arguments);
   }
   if (argv != small_argv) delete[] argv;
   return result;
 }
 
 
 // Helper function to handle calls to non-function objects created through the
 // API. The object can be called as either a constructor (using new) or just as
 // a function (without new).
 MUST_USE_RESULT static Object* HandleApiCallAsFunctionOrConstructor(
@@ skipping 737 matching lines @@
 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H)
 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
 #undef DEFINE_BUILTIN_ACCESSOR_C
 #undef DEFINE_BUILTIN_ACCESSOR_A
 #undef DEFINE_BUILTIN_ACCESSOR_T
 #undef DEFINE_BUILTIN_ACCESSOR_S
 #undef DEFINE_BUILTIN_ACCESSOR_H
 
 }  // namespace internal
 }  // namespace v8