Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects.cc

Issue 861773002: Perform access checks on the prototype chain when setting an element through a setter (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Fix Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 the V8 project authors. All rights reserved. 1 // Copyright 2013 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <sstream> 5 #include <sstream>
6 6
7 #include "src/v8.h" 7 #include "src/v8.h"
8 8
9 #include "src/accessors.h" 9 #include "src/accessors.h"
10 #include "src/allocation-site-scopes.h" 10 #include "src/allocation-site-scopes.h"
(...skipping 2958 matching lines...) Expand 10 before | Expand all | Expand 10 after
2969 return value; 2969 return value;
2970 } 2970 }
2971 2971
2972 2972
2973 MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes( 2973 MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes(
2974 Handle<JSObject> object, 2974 Handle<JSObject> object,
2975 uint32_t index, 2975 uint32_t index,
2976 Handle<Object> value, 2976 Handle<Object> value,
2977 bool* found, 2977 bool* found,
2978 StrictMode strict_mode) { 2978 StrictMode strict_mode) {
2979 Isolate *isolate = object->GetIsolate(); 2979 Isolate* isolate = object->GetIsolate();
2980 for (PrototypeIterator iter(isolate, object); !iter.IsAtEnd(); 2980 for (PrototypeIterator iter(isolate, object); !iter.IsAtEnd();
2981 iter.Advance()) { 2981 iter.Advance()) {
2982 if (PrototypeIterator::GetCurrent(iter)->IsJSProxy()) { 2982 if (PrototypeIterator::GetCurrent(iter)->IsJSProxy()) {
2983 return JSProxy::SetPropertyViaPrototypesWithHandler( 2983 return JSProxy::SetPropertyViaPrototypesWithHandler(
2984 Handle<JSProxy>::cast(PrototypeIterator::GetCurrent(iter)), object, 2984 Handle<JSProxy>::cast(PrototypeIterator::GetCurrent(iter)), object,
2985 isolate->factory()->Uint32ToString(index), // name 2985 isolate->factory()->Uint32ToString(index), // name
2986 value, strict_mode, found); 2986 value, strict_mode, found);
2987 } 2987 }
2988 Handle<JSObject> js_proto = 2988 Handle<JSObject> js_proto =
2989 Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter)); 2989 Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
2990
2991 if (js_proto->IsAccessCheckNeeded()) {
2992 if (!isolate->MayIndexedAccess(js_proto, index, v8::ACCESS_SET)) {
2993 *found = true;
2994 isolate->ReportFailedAccessCheck(js_proto, v8::ACCESS_SET);
2995 RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
2996 return MaybeHandle<Object>();
2997 }
2998 }
2999
2990 if (!js_proto->HasDictionaryElements()) { 3000 if (!js_proto->HasDictionaryElements()) {
2991 continue; 3001 continue;
2992 } 3002 }
3003
2993 Handle<SeededNumberDictionary> dictionary(js_proto->element_dictionary()); 3004 Handle<SeededNumberDictionary> dictionary(js_proto->element_dictionary());
2994 int entry = dictionary->FindEntry(index); 3005 int entry = dictionary->FindEntry(index);
2995 if (entry != SeededNumberDictionary::kNotFound) { 3006 if (entry != SeededNumberDictionary::kNotFound) {
2996 PropertyDetails details = dictionary->DetailsAt(entry); 3007 PropertyDetails details = dictionary->DetailsAt(entry);
2997 if (details.type() == ACCESSOR_CONSTANT) { 3008 if (details.type() == ACCESSOR_CONSTANT) {
2998 *found = true; 3009 *found = true;
2999 Handle<Object> structure(dictionary->ValueAt(entry), isolate); 3010 Handle<Object> structure(dictionary->ValueAt(entry), isolate);
3000 return SetElementWithCallback(object, structure, index, value, js_proto, 3011 return SetElementWithCallback(object, structure, index, value, js_proto,
3001 strict_mode); 3012 strict_mode);
3002 } 3013 }
(...skipping 13802 matching lines...) Expand 10 before | Expand all | Expand 10 after
16805 Handle<DependentCode> codes = 16816 Handle<DependentCode> codes =
16806 DependentCode::Insert(handle(cell->dependent_code(), info->isolate()), 16817 DependentCode::Insert(handle(cell->dependent_code(), info->isolate()),
16807 DependentCode::kPropertyCellChangedGroup, 16818 DependentCode::kPropertyCellChangedGroup,
16808 info->object_wrapper()); 16819 info->object_wrapper());
16809 if (*codes != cell->dependent_code()) cell->set_dependent_code(*codes); 16820 if (*codes != cell->dependent_code()) cell->set_dependent_code(*codes);
16810 info->dependencies(DependentCode::kPropertyCellChangedGroup)->Add( 16821 info->dependencies(DependentCode::kPropertyCellChangedGroup)->Add(
16811 cell, info->zone()); 16822 cell, info->zone());
16812 } 16823 }
16813 16824
16814 } } // namespace v8::internal 16825 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698