Skip to content

Commit

Permalink
deps: V8: cherry-pick e06ace6b5cdb
Browse files Browse the repository at this point in the history
Original commit message:

    [api] Fix empty Maybe crash in GetRealNamedPropertyAttributes

    `Object::GetRealNamedPropertyAttributes()` can crash if an empty
    `Maybe` is returned by `JSReceiver::GetPropertyAttributes()` because
    it was not checking for that. Fix that.

    Refs: #34606
    Change-Id: Ic83f904ba7134786bcd8f786eb2ce98adb4fea1e
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2335057
    Commit-Queue: Leszek Swirski <leszeks@chromium.org>
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#69258}

Refs: v8/v8@e06ace6

PR-URL: #34673
Fixes: #34606
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
addaleax committed Sep 28, 2020
1 parent 63cd05b commit 4ff6c77
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 6 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.43',
'v8_embedder_string': '-node.44',

##### V8 defaults for Node.js #####

Expand Down
12 changes: 7 additions & 5 deletions deps/v8/src/api/api.cc
Original file line number Diff line number Diff line change
Expand Up @@ -4701,9 +4701,9 @@ Maybe<PropertyAttribute>
v8::Object::GetRealNamedPropertyAttributesInPrototypeChain(
Local<Context> context, Local<Name> key) {
auto isolate = reinterpret_cast<i::Isolate*>(context->GetIsolate());
ENTER_V8_NO_SCRIPT(isolate, context, Object,
GetRealNamedPropertyAttributesInPrototypeChain,
Nothing<PropertyAttribute>(), i::HandleScope);
ENTER_V8(isolate, context, Object,
GetRealNamedPropertyAttributesInPrototypeChain,
Nothing<PropertyAttribute>(), i::HandleScope);
i::Handle<i::JSReceiver> self = Utils::OpenHandle(this);
if (!self->IsJSObject()) return Nothing<PropertyAttribute>();
i::Handle<i::Name> key_obj = Utils::OpenHandle(*key);
Expand All @@ -4716,6 +4716,7 @@ v8::Object::GetRealNamedPropertyAttributesInPrototypeChain(
i::LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
Maybe<i::PropertyAttributes> result =
i::JSReceiver::GetPropertyAttributes(&it);
has_pending_exception = result.IsNothing();
RETURN_ON_FAILED_EXECUTION_PRIMITIVE(PropertyAttribute);
if (!it.IsFound()) return Nothing<PropertyAttribute>();
if (result.FromJust() == i::ABSENT) return Just(None);
Expand All @@ -4740,14 +4741,15 @@ MaybeLocal<Value> v8::Object::GetRealNamedProperty(Local<Context> context,
Maybe<PropertyAttribute> v8::Object::GetRealNamedPropertyAttributes(
Local<Context> context, Local<Name> key) {
auto isolate = reinterpret_cast<i::Isolate*>(context->GetIsolate());
ENTER_V8_NO_SCRIPT(isolate, context, Object, GetRealNamedPropertyAttributes,
Nothing<PropertyAttribute>(), i::HandleScope);
ENTER_V8(isolate, context, Object, GetRealNamedPropertyAttributes,
Nothing<PropertyAttribute>(), i::HandleScope);
auto self = Utils::OpenHandle(this);
auto key_obj = Utils::OpenHandle(*key);
i::LookupIterator it = i::LookupIterator::PropertyOrElement(
isolate, self, key_obj, self,
i::LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
auto result = i::JSReceiver::GetPropertyAttributes(&it);
has_pending_exception = result.IsNothing();
RETURN_ON_FAILED_EXECUTION_PRIMITIVE(PropertyAttribute);
if (!it.IsFound()) return Nothing<PropertyAttribute>();
if (result.FromJust() == i::ABSENT) {
Expand Down
42 changes: 42 additions & 0 deletions deps/v8/test/cctest/test-api.cc
Original file line number Diff line number Diff line change
Expand Up @@ -12011,6 +12011,48 @@ THREADED_TEST(VariousGetPropertiesAndThrowingCallbacks) {
CHECK(result.IsEmpty());
}

THREADED_TEST(GetRealNamedPropertyAttributes_With_Proxy) {
LocalContext context;
HandleScope scope(context->GetIsolate());

{
Local<Object> proxy =
CompileRun(
"new Proxy({ p: 1 }, { getOwnPropertyDescriptor: _ => { "
" throw new Error('xyz'); } });")
.As<Object>();
TryCatch try_catch(context->GetIsolate());
v8::Maybe<v8::PropertyAttribute> result =
proxy->GetRealNamedPropertyAttributes(context.local(), v8_str("p"));
CHECK(result.IsNothing());
CHECK(try_catch.HasCaught());
CHECK(try_catch.Exception()
.As<Object>()
->Get(context.local(), v8_str("message"))
.ToLocalChecked()
->StrictEquals(v8_str("xyz")));
}

{
Local<Object> proxy =
CompileRun(
"Object.create("
" new Proxy({ p: 1 }, { getOwnPropertyDescriptor: _ => { "
" throw new Error('abc'); } }))")
.As<Object>();
TryCatch try_catch(context->GetIsolate());
v8::Maybe<v8::PropertyAttribute> result =
proxy->GetRealNamedPropertyAttributesInPrototypeChain(context.local(),
v8_str("p"));
CHECK(result.IsNothing());
CHECK(try_catch.HasCaught());
CHECK(try_catch.Exception()
.As<Object>()
->Get(context.local(), v8_str("message"))
.ToLocalChecked()
->StrictEquals(v8_str("abc")));
}
}

static void ThrowingCallbackWithTryCatch(
const v8::FunctionCallbackInfo<v8::Value>& args) {
Expand Down

0 comments on commit 4ff6c77

Please sign in to comment.