Version 4.5.103.34 (cherry-pick)

ajklein · ajklein · commit 134e541ad149 · 2015-09-17T21:20:39.000Z
Merged 21bd456 Disallow Object.observe calls on access-checked objects BUG=chromium:531891 LOG=N TBR=jochen@chromium.org Review URL: https://codereview.chromium.org/1352023002 . Cr-Commit-Position: refs/branch-heads/4.5@{#37} Cr-Branched-From: 7f21153-refs/heads/4.5.103@{#1} Cr-Branched-From: 4b38c15-refs/heads/master@{#29527}
diff --git a/include/v8-version.h b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 5
 #define V8_BUILD_NUMBER 103
-#define V8_PATCH_LEVEL 33
+#define V8_PATCH_LEVEL 34
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/messages.h b/src/messages.h
@@ -173,6 +173,7 @@ class CallSite {
   T(ObserveCallbackFrozen,                                                     \
     "Object.observe cannot deliver to a frozen function object")               \
   T(ObserveGlobalProxy, "% cannot be called on the global proxy object")       \
+  T(ObserveAccessChecked, "% cannot be called on access-checked objects")      \
   T(ObserveInvalidAccept,                                                      \
     "Third argument to Object.observe must be an array of strings.")           \
   T(ObserveNonFunction, "Object.% cannot deliver to non-function")             \
diff --git a/src/object-observe.js b/src/object-observe.js
@@ -389,6 +389,8 @@ function ObjectObserve(object, callback, acceptList) {
     throw MakeTypeError(kObserveNonObject, "observe", "observe");
   if (%IsJSGlobalProxy(object))
     throw MakeTypeError(kObserveGlobalProxy, "observe");
+  if (%IsAccessCheckNeeded(object))
+    throw MakeTypeError(kObserveAccessChecked, "observe");
   if (!IS_SPEC_FUNCTION(callback))
     throw MakeTypeError(kObserveNonFunction, "observe");
   if (ObjectIsFrozen(callback))
@@ -617,6 +619,8 @@ function ObjectGetNotifier(object) {
     throw MakeTypeError(kObserveNonObject, "getNotifier", "getNotifier");
   if (%IsJSGlobalProxy(object))
     throw MakeTypeError(kObserveGlobalProxy, "getNotifier");
+  if (%IsAccessCheckNeeded(object))
+    throw MakeTypeError(kObserveAccessChecked, "getNotifier");
 
   if (ObjectIsFrozen(object)) return null;
 
diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc
@@ -1435,5 +1435,13 @@ RUNTIME_FUNCTION(Runtime_DefineSetterPropertyUnchecked) {
                                setter, attrs));
   return isolate->heap()->undefined_value();
 }
+
+
+RUNTIME_FUNCTION(Runtime_IsAccessCheckNeeded) {
+  SealHandleScope shs(isolate);
+  DCHECK_EQ(1, args.length());
+  CONVERT_ARG_CHECKED(Object, object, 0);
+  return isolate->heap()->ToBoolean(object->IsAccessCheckNeeded());
+}
 }  // namespace internal
 }  // namespace v8
diff --git a/src/runtime/runtime.h b/src/runtime/runtime.h
@@ -483,7 +483,8 @@ namespace internal {
   F(IsStrong, 1, 1)                                  \
   F(ClassOf, 1, 1)                                   \
   F(DefineGetterPropertyUnchecked, 4, 1)             \
-  F(DefineSetterPropertyUnchecked, 4, 1)
+  F(DefineSetterPropertyUnchecked, 4, 1)             \
+  F(IsAccessCheckNeeded, 1, 1)
 
 
 #define FOR_EACH_INTRINSIC_OBSERVE(F)            \
diff --git a/test/cctest/test-object-observe.cc b/test/cctest/test-object-observe.cc
@@ -885,3 +885,39 @@ TEST(UseCountObjectGetNotifier) {
   CompileRun("Object.getNotifier(obj)");
   CHECK_EQ(1, use_counts[v8::Isolate::kObjectObserve]);
 }
+
+
+static bool NamedAccessCheckAlwaysAllow(Local<v8::Object> global,
+                                        Local<v8::Value> name,
+                                        v8::AccessType type,
+                                        Local<Value> data) {
+  return true;
+}
+
+
+TEST(DisallowObserveAccessCheckedObject) {
+  v8::Isolate* isolate = CcTest::isolate();
+  v8::HandleScope scope(isolate);
+  LocalContext env;
+  v8::Local<v8::ObjectTemplate> object_template =
+      v8::ObjectTemplate::New(isolate);
+  object_template->SetAccessCheckCallbacks(NamedAccessCheckAlwaysAllow, NULL);
+  env->Global()->Set(v8_str("obj"), object_template->NewInstance());
+  v8::TryCatch try_catch(isolate);
+  CompileRun("Object.observe(obj, function(){})");
+  CHECK(try_catch.HasCaught());
+}
+
+
+TEST(DisallowGetNotifierAccessCheckedObject) {
+  v8::Isolate* isolate = CcTest::isolate();
+  v8::HandleScope scope(isolate);
+  LocalContext env;
+  v8::Local<v8::ObjectTemplate> object_template =
+      v8::ObjectTemplate::New(isolate);
+  object_template->SetAccessCheckCallbacks(NamedAccessCheckAlwaysAllow, NULL);
+  env->Global()->Set(v8_str("obj"), object_template->NewInstance());
+  v8::TryCatch try_catch(isolate);
+  CompileRun("Object.getNotifier(obj)");
+  CHECK(try_catch.HasCaught());
+}
