Author: l...@chromium.org
Date: Tue Mar 10 05:28:34 2009
New Revision: 1476
Added:
branches/bleeding_edge/test/mjsunit/regress/regress-267.js
Modified:
branches/bleeding_edge/src/ast.h
branches/bleeding_edge/src/codegen-arm.cc
branches/bleeding_edge/src/codegen-ia32.cc
branches/bleeding_edge/src/scopes.cc
Log:
Issue 267: Calls to arguments in eval-tainted function scope uses global
object as receiver.
Modified: branches/bleeding_edge/src/ast.h
==============================================================================
--- branches/bleeding_edge/src/ast.h (original)
+++ branches/bleeding_edge/src/ast.h Tue Mar 10 05:28:34 2009
@@ -887,8 +887,13 @@
class Property: public Expression {
public:
- Property(Expression* obj, Expression* key, int pos)
- : obj_(obj), key_(key), pos_(pos) { }
+ // Synthetic properties are property lookups introduced by the system,
+ // to objects that aren't visible to the user. Function calls to
synthetic
+ // properties should use the global object as receiver, not the base
object
+ // of the resolved Reference.
+ enum Type { NORMAL, SYNTHETIC };
+ Property(Expression* obj, Expression* key, int pos, Type type = NORMAL)
+ : obj_(obj), key_(key), pos_(pos), type_(type) { }
virtual void Accept(AstVisitor* v);
@@ -900,6 +905,7 @@
Expression* obj() const { return obj_; }
Expression* key() const { return key_; }
int position() const { return pos_; }
+ bool is_synthetic() const { return type_ == SYNTHETIC; }
// Returns a property singleton property access on 'this'. Used
// during preparsing.
@@ -909,8 +915,9 @@
Expression* obj_;
Expression* key_;
int pos_;
+ Type type_;
- // Dummy property used during preparsing
+ // Dummy property used during preparsing.
static Property this_property_;
};
Modified: branches/bleeding_edge/src/codegen-arm.cc
==============================================================================
--- branches/bleeding_edge/src/codegen-arm.cc (original)
+++ branches/bleeding_edge/src/codegen-arm.cc Tue Mar 10 05:28:34 2009
@@ -3076,8 +3076,13 @@
ref.GetValueAndSpill(NOT_INSIDE_TYPEOF); // receiver
// Pass receiver to called function.
- __ ldr(r0, frame_->ElementAt(ref.size()));
- frame_->EmitPush(r0);
+ if (property->is_synthetic()) {
+ LoadGlobalReceiver(r0);
+ } else {
+ __ ldr(r0, frame_->ElementAt(ref.size()));
+ frame_->EmitPush(r0);
+ }
+
// Call the function.
CallWithArguments(args, node->position());
frame_->EmitPush(r0);
Modified: branches/bleeding_edge/src/codegen-ia32.cc
==============================================================================
--- branches/bleeding_edge/src/codegen-ia32.cc (original)
+++ branches/bleeding_edge/src/codegen-ia32.cc Tue Mar 10 05:28:34 2009
@@ -3911,9 +3911,13 @@
ref.GetValue(NOT_INSIDE_TYPEOF);
// Pass receiver to called function.
- // The reference's size is non-negative.
- frame_->SpillAll();
- frame_->EmitPush(frame_->ElementAt(ref.size()));
+ if (property->is_synthetic()) {
+ // Use global object as receiver.
+ LoadGlobalReceiver();
+ } else {
+ // The reference's size is non-negative.
+ frame_->PushElementAt(ref.size());
+ }
// Call the function.
CallWithArguments(args, node->position());
Modified: branches/bleeding_edge/src/scopes.cc
==============================================================================
--- branches/bleeding_edge/src/scopes.cc (original)
+++ branches/bleeding_edge/src/scopes.cc Tue Mar 10 05:28:34 2009
@@ -822,7 +822,8 @@
var->rewrite_ =
new Property(arguments_shadow_,
new Literal(Handle<Object>(Smi::FromInt(i))),
- RelocInfo::kNoPosition);
+ RelocInfo::kNoPosition,
+ Property::SYNTHETIC);
arguments_shadow->var_uses()->RecordUses(var->var_uses());
}
}
Added: branches/bleeding_edge/test/mjsunit/regress/regress-267.js
==============================================================================
--- (empty file)
+++ branches/bleeding_edge/test/mjsunit/regress/regress-267.js Tue Mar 10
05:28:34 2009
@@ -0,0 +1,35 @@
+// Copyright 2009 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// See http://code.google.com/p/v8/issues/detail?id=267
+
+var global = (function(){ return this; })();
+function taint(fn){var v = fn(); eval("taint"); return v; }
+function getThis(){ return this; }
+var obj = taint(getThis);
+
+assertEquals(global, obj, "Should be the global object.");
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
