Make FunctionTemplate::HasInstance checks work with remote contexts.

src/api.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/api.h"
 
 #include <string.h>  // For memcpy, strlen.
 #ifdef V8_USE_ADDRESS_SANITIZER
 #include <sanitizer/asan_interface.h>
 #endif  // V8_USE_ADDRESS_SANITIZER
@@ skipping 4454 matching lines @@
   RETURN_ON_FAILED_EXECUTION_PRIMITIVE(bool);
   return Just(true);
 }
 
 
 bool v8::Object::SetPrototype(Local<Value> value) {
   auto context = ContextFromHeapObject(Utils::OpenHandle(this));
   return SetPrototype(context, value).FromMaybe(false);
 }
 
+static bool HasInstanceInGlobalProxy(i::JSGlobalProxy* global_proxy,
+                                     i::FunctionTemplateInfo* target_template) {
+  auto* constructor_object = global_proxy->map()->GetConstructor();
+  if (!constructor_object->IsJSFunction()) return false;
+
+  auto* constructor = i::JSFunction::cast(constructor_object);
+  if (!constructor->shared()->function_data()->IsFunctionTemplateInfo())
+    return false;
+
+  auto* proxy_constructor_template =
+      i::FunctionTemplateInfo::cast(constructor->shared()->function_data());
+  if (!proxy_constructor_template->prototype_template()->IsObjectTemplateInfo())
+    return false;
+
+  auto* global_template = i::ObjectTemplateInfo::cast(
+      proxy_constructor_template->prototype_template());
+  // Iterate through the chain of inheriting function templates to
+  // see if the required one occurs.
+  for (i::Object* type = global_template->constructor();
+       type->IsFunctionTemplateInfo();
+       type = i::FunctionTemplateInfo::cast(type)->parent_template()) {
+    if (type == target_template) return true;
+  }
+  // Didn't find the required type in the inheritance chain.
+  return false;
+}
 
 Local<Object> v8::Object::FindInstanceInPrototypeChain(
     v8::Local<FunctionTemplate> tmpl) {
-  auto isolate = Utils::OpenHandle(this)->GetIsolate();
-  i::PrototypeIterator iter(isolate, *Utils::OpenHandle(this),
-                            i::kStartAtReceiver);
+  auto self = Utils::OpenHandle(this);
+  auto isolate = self->GetIsolate();
+  i::PrototypeIterator iter(isolate, *self, i::kStartAtReceiver);
   auto tmpl_info = *Utils::OpenHandle(*tmpl);
   while (!tmpl_info->IsTemplateFor(iter.GetCurrent<i::JSObject>())) {
     iter.Advance();
-    if (iter.IsAtEnd()) return Local<Object>();
+    if (iter.IsAtEnd()) {
+      // Normally, a standard prototype walk is sufficient; however, global
+      // proxies aren't directly constructed with the supplied template.
+      // Normally, this is not a problem, because the prototype chain includes
+      // the global object; however, a remote context has no global object.
+      if (self->IsJSGlobalProxy() &&
+          HasInstanceInGlobalProxy(i::JSGlobalProxy::cast(*self), tmpl_info))
+        return Utils::ToLocal(self);
+      return Local<Object>();
+    }
     if (!iter.GetCurrent()->IsJSObject()) return Local<Object>();
   }
   // IsTemplateFor() ensures that iter.GetCurrent() can't be a Proxy here.
   return Utils::ToLocal(i::handle(iter.GetCurrent<i::JSObject>(), isolate));
 }
 
 MaybeLocal<Array> v8::Object::GetPropertyNames(Local<Context> context) {
   return GetPropertyNames(
       context, v8::KeyCollectionMode::kIncludePrototypes,
       static_cast<v8::PropertyFilter>(ONLY_ENUMERABLE | SKIP_SYMBOLS),
@@ skipping 2047 matching lines @@
   return Utils::ToLocal(scope.CloseAndEscape(object));
 }
 
 bool FunctionTemplate::HasInstance(v8::Local<v8::Value> value) {
   auto self = Utils::OpenHandle(this);
   auto obj = Utils::OpenHandle(*value);
   if (obj->IsJSObject() && self->IsTemplateFor(i::JSObject::cast(*obj))) {
     return true;
   }
   if (obj->IsJSGlobalProxy()) {
-    // If it's a global proxy object, then test with the global object.
-    i::PrototypeIterator iter(i::JSObject::cast(*obj)->map());
-    if (iter.IsAtEnd()) return false;
-    return self->IsTemplateFor(iter.GetCurrent<i::JSGlobalObject>());
+    auto* global_proxy = i::JSGlobalProxy::cast(*obj);
+    // For global proxies, check the constructor's prototype instead. Remote
+    // global proxies have no global object to perform instance checks on, but
+    // the constructor's prototype's constructor corresponds to the original
+    // template used to create the context.
+    return HasInstanceInGlobalProxy(global_proxy, *self);
   }
   return false;
 }
 
 
 Local<External> v8::External::New(Isolate* isolate, void* value) {
   STATIC_ASSERT(sizeof(value) == sizeof(i::Address));
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   LOG_API(i_isolate, External, New);
   ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
@@ skipping 3603 matching lines @@
   Address callback_address =
       reinterpret_cast<Address>(reinterpret_cast<intptr_t>(callback));
   VMState<EXTERNAL> state(isolate);
   ExternalCallbackScope call_scope(isolate, callback_address);
   callback(info);
 }
 
 
 }  // namespace internal
 }  // namespace v8