[v8-dev] [v8] r3164 committed - Issue 485: Fix leak of builtins object through call and apply function...

Wed, 28 Oct 2009 06:52:23 -0700 

Revision: 3164
Author: [email protected]
Date: Wed Oct 28 06:51:30 2009
Log: Issue 485: Fix leak of builtins object through call and apply  
functions.

Review URL: http://codereview.chromium.org/345007

http://code.google.com/p/v8/source/detail?r=3164

Added:
  /branches/bleeding_edge/test/mjsunit/regress/regress-485.js
Modified:
  /branches/bleeding_edge/src/arm/builtins-arm.cc
  /branches/bleeding_edge/src/ia32/builtins-ia32.cc
  /branches/bleeding_edge/src/x64/builtins-x64.cc

=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-485.js Wed Oct 28  
06:51:30 2009
@@ -0,0 +1,64 @@
+// Copyright 2009 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// See: http://code.google.com/p/v8/issues/detail?id=485
+
+// Ensure that we don't expose the builtins object when calling
+// builtin functions that use or return "this".
+
+var global = this;
+var global2 = (function(){return this;})();
+assertEquals(global, global2, "direct call to local function returns  
global");
+
+var builtin = Object.prototype.valueOf;  // Builtin function that returns  
this.
+
+assertEquals(global, builtin(), "Direct call to builtin");
+
+assertEquals(global, builtin.call(), "call() to builtin");
+assertEquals(global, builtin.call(null), "call(null) to builtin");
+assertEquals(global, builtin.call(undefined), "call(undefined) to  
builtin");
+
+assertEquals(global, builtin.apply(), "apply() to builtin");
+assertEquals(global, builtin.apply(null), "apply(null) to builtin");
+assertEquals(global, builtin.apply(undefined), "apply(undefined) to  
builtin");
+
+assertEquals(global, builtin.call.call(builtin), "call.call() to builtin");
+assertEquals(global, builtin.call.apply(builtin), "call.apply() to  
builtin");
+assertEquals(global, builtin.apply.call(builtin), "apply.call() to  
builtin");
+assertEquals(global, builtin.apply.apply(builtin), "apply.apply() to  
builtin");
+
+
+// Builtin that depends on value of this to compute result.
+var builtin2 = Object.prototype.toString;
+
+// Global object has class "Object" according to Object.prototype.toString.
+// Builtins object displays as "[object builtins]".
+assertTrue("[object builtins]" != builtin2(), "Direct call to toString");
+assertTrue("[object builtins]" != builtin2.call(), "call() to toString");
+assertTrue("[object builtins]" != builtin2.apply(), "call() to toString");
+assertTrue("[object builtins]" != builtin2.call.call(builtin2),
+           "call.call() to toString");
=======================================
--- /branches/bleeding_edge/src/arm/builtins-arm.cc     Wed Sep 30 02:24:46 2009
+++ /branches/bleeding_edge/src/arm/builtins-arm.cc     Wed Oct 28 06:51:30 2009
@@ -949,6 +949,8 @@
      const int kGlobalIndex =
          Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
      __ ldr(r2, FieldMemOperand(cp, kGlobalIndex));
+    __ ldr(r2, FieldMemOperand(r2, GlobalObject::kGlobalContextOffset));
+    __ ldr(r2, FieldMemOperand(r2, kGlobalIndex));
      __ ldr(r2, FieldMemOperand(r2, GlobalObject::kGlobalReceiverOffset));

      __ bind(&patch_receiver);
@@ -1107,6 +1109,8 @@
    const int kGlobalOffset =
        Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
    __ ldr(r0, FieldMemOperand(cp, kGlobalOffset));
+  __ ldr(r0, FieldMemOperand(r0, GlobalObject::kGlobalContextOffset));
+  __ ldr(r0, FieldMemOperand(r0, kGlobalOffset));
    __ ldr(r0, FieldMemOperand(r0, GlobalObject::kGlobalReceiverOffset));

    // Push the receiver.
=======================================
--- /branches/bleeding_edge/src/ia32/builtins-ia32.cc   Tue Oct 27 07:56:50  
2009
+++ /branches/bleeding_edge/src/ia32/builtins-ia32.cc   Wed Oct 28 06:51:30  
2009
@@ -462,6 +462,8 @@
      const int kGlobalIndex =
          Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
      __ mov(ebx, FieldOperand(esi, kGlobalIndex));
+    __ mov(ebx, FieldOperand(ebx, GlobalObject::kGlobalContextOffset));
+    __ mov(ebx, FieldOperand(ebx, kGlobalIndex));
      __ mov(ebx, FieldOperand(ebx, GlobalObject::kGlobalReceiverOffset));

      __ bind(&patch_receiver);
@@ -606,6 +608,8 @@
    const int kGlobalOffset =
        Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
    __ mov(ebx, FieldOperand(esi, kGlobalOffset));
+  __ mov(ebx, FieldOperand(ebx, GlobalObject::kGlobalContextOffset));
+  __ mov(ebx, FieldOperand(ebx, kGlobalOffset));
    __ mov(ebx, FieldOperand(ebx, GlobalObject::kGlobalReceiverOffset));

    // Push the receiver.
=======================================
--- /branches/bleeding_edge/src/x64/builtins-x64.cc     Tue Oct 27 07:56:50 2009
+++ /branches/bleeding_edge/src/x64/builtins-x64.cc     Wed Oct 28 06:51:30 2009
@@ -246,6 +246,8 @@
      const int kGlobalIndex =
          Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
      __ movq(rbx, FieldOperand(rsi, kGlobalIndex));
+    __ movq(rbx, FieldOperand(rbx, GlobalObject::kGlobalContextOffset));
+    __ movq(rbx, FieldOperand(rbx, kGlobalIndex));
      __ movq(rbx, FieldOperand(rbx, GlobalObject::kGlobalReceiverOffset));

      __ bind(&patch_receiver);
@@ -400,6 +402,8 @@
    const int kGlobalOffset =
        Context::kHeaderSize + Context::GLOBAL_INDEX * kPointerSize;
    __ movq(rbx, FieldOperand(rsi, kGlobalOffset));
+  __ movq(rbx, FieldOperand(rbx, GlobalObject::kGlobalContextOffset));
+  __ movq(rbx, FieldOperand(rbx, kGlobalOffset));
    __ movq(rbx, FieldOperand(rbx, GlobalObject::kGlobalReceiverOffset));

    // Push the receiver.

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to