[v8-dev] Harden %SetIsObserved with RUNTIME_ASSERTs (issue 274163002)

Fri, 09 May 2014 11:18:12 -0700 

Reviewers: Jakob,

Description:
Harden %SetIsObserved with RUNTIME_ASSERTs

Now throws if its argument is already observed, or if the argument is
the global proxy.

BUG=371782

Please review this at https://codereview.chromium.org/274163002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+21, -3 lines):
  M src/runtime.cc
  A test/mjsunit/es7/object-observe-runtime.js


Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index ed6ce930677df13c4bf57316de9cfa9f5a3f464e..31502f364024cf413d9b69ee34eb711b2e89688b 100644 
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -14897,9 +14897,9 @@ RUNTIME_FUNCTION(Runtime_SetIsObserved) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 1);
   CONVERT_ARG_HANDLE_CHECKED(JSReceiver, obj, 0);
-  ASSERT(!obj->IsJSGlobalProxy());
-  if (obj->IsJSProxy())
-    return isolate->heap()->undefined_value();
+  RUNTIME_ASSERT(!obj->IsJSGlobalProxy());
+  if (obj->IsJSProxy()) return isolate->heap()->undefined_value();
+  RUNTIME_ASSERT(!obj->map()->is_observed());

   ASSERT(obj->IsJSObject());
   JSObject::SetObserved(Handle<JSObject>::cast(obj));
Index: test/mjsunit/es7/object-observe-runtime.js
diff --git a/test/mjsunit/es7/object-observe-runtime.js b/test/mjsunit/es7/object-observe-runtime.js 
new file mode 100644
index 0000000000000000000000000000000000000000..29b4510939f7989e21692394b8a101b4cc17958d 
--- /dev/null
+++ b/test/mjsunit/es7/object-observe-runtime.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// These tests are meant to ensure that that the Object.observe runtime functions 
+// are hardened.
+
+var obj = {};
+%SetIsObserved(obj);
+assertThrows(function() {
+  %SetIsObserved(obj);
+});
+
+assertThrows(function() {
+  %SetIsObserved(this);
+});


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to