Author: l...@chromium.org Date: Tue Mar 10 05:28:34 2009 New Revision: 1476
Added: branches/bleeding_edge/test/mjsunit/regress/regress-267.js Modified: branches/bleeding_edge/src/ast.h branches/bleeding_edge/src/codegen-arm.cc branches/bleeding_edge/src/codegen-ia32.cc branches/bleeding_edge/src/scopes.cc Log: Issue 267: Calls to arguments in eval-tainted function scope uses global object as receiver. Modified: branches/bleeding_edge/src/ast.h ============================================================================== --- branches/bleeding_edge/src/ast.h (original) +++ branches/bleeding_edge/src/ast.h Tue Mar 10 05:28:34 2009 @@ -887,8 +887,13 @@ class Property: public Expression { public: - Property(Expression* obj, Expression* key, int pos) - : obj_(obj), key_(key), pos_(pos) { } + // Synthetic properties are property lookups introduced by the system, + // to objects that aren't visible to the user. Function calls to synthetic + // properties should use the global object as receiver, not the base object + // of the resolved Reference. + enum Type { NORMAL, SYNTHETIC }; + Property(Expression* obj, Expression* key, int pos, Type type = NORMAL) + : obj_(obj), key_(key), pos_(pos), type_(type) { } virtual void Accept(AstVisitor* v); @@ -900,6 +905,7 @@ Expression* obj() const { return obj_; } Expression* key() const { return key_; } int position() const { return pos_; } + bool is_synthetic() const { return type_ == SYNTHETIC; } // Returns a property singleton property access on 'this'. Used // during preparsing. @@ -909,8 +915,9 @@ Expression* obj_; Expression* key_; int pos_; + Type type_; - // Dummy property used during preparsing + // Dummy property used during preparsing. static Property this_property_; }; Modified: branches/bleeding_edge/src/codegen-arm.cc ============================================================================== --- branches/bleeding_edge/src/codegen-arm.cc (original) +++ branches/bleeding_edge/src/codegen-arm.cc Tue Mar 10 05:28:34 2009 @@ -3076,8 +3076,13 @@ ref.GetValueAndSpill(NOT_INSIDE_TYPEOF); // receiver // Pass receiver to called function. - __ ldr(r0, frame_->ElementAt(ref.size())); - frame_->EmitPush(r0); + if (property->is_synthetic()) { + LoadGlobalReceiver(r0); + } else { + __ ldr(r0, frame_->ElementAt(ref.size())); + frame_->EmitPush(r0); + } + // Call the function. CallWithArguments(args, node->position()); frame_->EmitPush(r0); Modified: branches/bleeding_edge/src/codegen-ia32.cc ============================================================================== --- branches/bleeding_edge/src/codegen-ia32.cc (original) +++ branches/bleeding_edge/src/codegen-ia32.cc Tue Mar 10 05:28:34 2009 @@ -3911,9 +3911,13 @@ ref.GetValue(NOT_INSIDE_TYPEOF); // Pass receiver to called function. - // The reference's size is non-negative. - frame_->SpillAll(); - frame_->EmitPush(frame_->ElementAt(ref.size())); + if (property->is_synthetic()) { + // Use global object as receiver. + LoadGlobalReceiver(); + } else { + // The reference's size is non-negative. + frame_->PushElementAt(ref.size()); + } // Call the function. CallWithArguments(args, node->position()); Modified: branches/bleeding_edge/src/scopes.cc ============================================================================== --- branches/bleeding_edge/src/scopes.cc (original) +++ branches/bleeding_edge/src/scopes.cc Tue Mar 10 05:28:34 2009 @@ -822,7 +822,8 @@ var->rewrite_ = new Property(arguments_shadow_, new Literal(Handle<Object>(Smi::FromInt(i))), - RelocInfo::kNoPosition); + RelocInfo::kNoPosition, + Property::SYNTHETIC); arguments_shadow->var_uses()->RecordUses(var->var_uses()); } } Added: branches/bleeding_edge/test/mjsunit/regress/regress-267.js ============================================================================== --- (empty file) +++ branches/bleeding_edge/test/mjsunit/regress/regress-267.js Tue Mar 10 05:28:34 2009 @@ -0,0 +1,35 @@ +// Copyright 2009 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// See http://code.google.com/p/v8/issues/detail?id=267 + +var global = (function(){ return this; })(); +function taint(fn){var v = fn(); eval("taint"); return v; } +function getThis(){ return this; } +var obj = taint(getThis); + +assertEquals(global, obj, "Should be the global object."); --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---