diff options
Diffstat (limited to 'chromium/v8/src/objects')
-rw-r--r-- | chromium/v8/src/objects/code-kind.h | 4 | ||||
-rw-r--r-- | chromium/v8/src/objects/js-objects.cc | 49 | ||||
-rw-r--r-- | chromium/v8/src/objects/js-objects.h | 5 | ||||
-rw-r--r-- | chromium/v8/src/objects/js-weak-refs-inl.h | 21 | ||||
-rw-r--r-- | chromium/v8/src/objects/js-weak-refs.h | 8 | ||||
-rw-r--r-- | chromium/v8/src/objects/lookup.cc | 4 | ||||
-rw-r--r-- | chromium/v8/src/objects/objects.cc | 2 |
7 files changed, 78 insertions, 15 deletions
diff --git a/chromium/v8/src/objects/code-kind.h b/chromium/v8/src/objects/code-kind.h index b43affdc2d9..32c3b025757 100644 --- a/chromium/v8/src/objects/code-kind.h +++ b/chromium/v8/src/objects/code-kind.h @@ -57,10 +57,6 @@ inline constexpr bool CodeKindIsBaselinedJSFunction(CodeKind kind) { return kind == CodeKind::BASELINE; } -inline constexpr bool CodeKindIsStaticallyCompiled(CodeKind kind) { - return kind == CodeKind::BYTECODE_HANDLER || kind == CodeKind::BUILTIN; -} - inline constexpr bool CodeKindIsUnoptimizedJSFunction(CodeKind kind) { STATIC_ASSERT(static_cast<int>(CodeKind::INTERPRETED_FUNCTION) + 1 == static_cast<int>(CodeKind::BASELINE)); diff --git a/chromium/v8/src/objects/js-objects.cc b/chromium/v8/src/objects/js-objects.cc index 3f806f5a090..4335a7cf0e4 100644 --- a/chromium/v8/src/objects/js-objects.cc +++ b/chromium/v8/src/objects/js-objects.cc @@ -186,6 +186,55 @@ Maybe<bool> JSReceiver::HasInPrototypeChain(Isolate* isolate, } // static +bool JSReceiver::CheckPrivateNameStore(LookupIterator* it, bool is_define) { + DCHECK(it->GetName()->IsPrivateName()); + Isolate* isolate = it->isolate(); + Handle<String> name_string( + String::cast(Handle<Symbol>::cast(it->GetName())->description()), + isolate); + bool should_throw = GetShouldThrow(isolate, Nothing<ShouldThrow>()) == + ShouldThrow::kThrowOnError; + for (; it->IsFound(); it->Next()) { + switch (it->state()) { + case LookupIterator::TRANSITION: + case LookupIterator::INTERCEPTOR: + case LookupIterator::JSPROXY: + case LookupIterator::NOT_FOUND: + case LookupIterator::INTEGER_INDEXED_EXOTIC: + case LookupIterator::ACCESSOR: + UNREACHABLE(); + case LookupIterator::ACCESS_CHECK: + if (!it->HasAccess()) { + isolate->ReportFailedAccessCheck( + Handle<JSObject>::cast(it->GetReceiver())); + RETURN_VALUE_IF_SCHEDULED_EXCEPTION(isolate, false); + return false; + } + break; + case LookupIterator::DATA: + if (is_define && should_throw) { + MessageTemplate message = + it->GetName()->IsPrivateBrand() + ? MessageTemplate::kInvalidPrivateBrandReinitialization + : MessageTemplate::kInvalidPrivateFieldReinitialization; + isolate->Throw(*(isolate->factory()->NewTypeError( + message, name_string, it->GetReceiver()))); + return false; + } + return true; + } + } + DCHECK(!it->IsFound()); + if (!is_define && should_throw) { + isolate->Throw(*(isolate->factory()->NewTypeError( + MessageTemplate::kInvalidPrivateMemberWrite, name_string, + it->GetReceiver()))); + return false; + } + return true; +} + +// static Maybe<bool> JSReceiver::CheckIfCanDefine(Isolate* isolate, LookupIterator* it, Handle<Object> value, Maybe<ShouldThrow> should_throw) { diff --git a/chromium/v8/src/objects/js-objects.h b/chromium/v8/src/objects/js-objects.h index d6a96a8fe2d..4edb34d5c9f 100644 --- a/chromium/v8/src/objects/js-objects.h +++ b/chromium/v8/src/objects/js-objects.h @@ -161,6 +161,11 @@ class JSReceiver : public TorqueGeneratedJSReceiver<JSReceiver, HeapObject> { Isolate* isolate, Handle<JSReceiver> object, Handle<Object> key, PropertyDescriptor* desc, Maybe<ShouldThrow> should_throw); + // Check if private name property can be store on the object. It will return + // false with an error when it cannot. + V8_WARN_UNUSED_RESULT static bool CheckPrivateNameStore(LookupIterator* it, + bool is_define); + // Check if a data property can be created on the object. It will fail with // an error when it cannot. V8_WARN_UNUSED_RESULT static Maybe<bool> CheckIfCanDefine( diff --git a/chromium/v8/src/objects/js-weak-refs-inl.h b/chromium/v8/src/objects/js-weak-refs-inl.h index acce7b72b94..76e6e075e5d 100644 --- a/chromium/v8/src/objects/js-weak-refs-inl.h +++ b/chromium/v8/src/objects/js-weak-refs-inl.h @@ -60,16 +60,14 @@ bool JSFinalizationRegistry::Unregister( // key. Each WeakCell will be in the "active_cells" or "cleared_cells" list of // its FinalizationRegistry; remove it from there. return finalization_registry->RemoveUnregisterToken( - *unregister_token, isolate, - [isolate](WeakCell matched_cell) { - matched_cell.RemoveFromFinalizationRegistryCells(isolate); - }, + *unregister_token, isolate, kRemoveMatchedCellsFromRegistry, [](HeapObject, ObjectSlot, Object) {}); } -template <typename MatchCallback, typename GCNotifyUpdatedSlotCallback> +template <typename GCNotifyUpdatedSlotCallback> bool JSFinalizationRegistry::RemoveUnregisterToken( - JSReceiver unregister_token, Isolate* isolate, MatchCallback match_callback, + JSReceiver unregister_token, Isolate* isolate, + RemoveUnregisterTokenMode removal_mode, GCNotifyUpdatedSlotCallback gc_notify_updated_slot) { // This method is called from both FinalizationRegistry#unregister and for // removing weakly-held dead unregister tokens. The latter is during GC so @@ -107,7 +105,16 @@ bool JSFinalizationRegistry::RemoveUnregisterToken( value = weak_cell.key_list_next(); if (weak_cell.unregister_token() == unregister_token) { // weak_cell has the same unregister token; remove it from the key list. - match_callback(weak_cell); + switch (removal_mode) { + case kRemoveMatchedCellsFromRegistry: + weak_cell.RemoveFromFinalizationRegistryCells(isolate); + break; + case kKeepMatchedCellsInRegistry: + // Do nothing. + break; + } + // Clear unregister token-related fields. + weak_cell.set_unregister_token(undefined); weak_cell.set_key_list_prev(undefined); weak_cell.set_key_list_next(undefined); was_present = true; diff --git a/chromium/v8/src/objects/js-weak-refs.h b/chromium/v8/src/objects/js-weak-refs.h index 57f765b282e..f678234ff81 100644 --- a/chromium/v8/src/objects/js-weak-refs.h +++ b/chromium/v8/src/objects/js-weak-refs.h @@ -43,10 +43,14 @@ class JSFinalizationRegistry // it modifies slots in key_map and WeakCells and the normal write barrier is // disabled during GC, we need to tell the GC about the modified slots via the // gc_notify_updated_slot function. - template <typename MatchCallback, typename GCNotifyUpdatedSlotCallback> + enum RemoveUnregisterTokenMode { + kRemoveMatchedCellsFromRegistry, + kKeepMatchedCellsInRegistry + }; + template <typename GCNotifyUpdatedSlotCallback> inline bool RemoveUnregisterToken( JSReceiver unregister_token, Isolate* isolate, - MatchCallback match_callback, + RemoveUnregisterTokenMode removal_mode, GCNotifyUpdatedSlotCallback gc_notify_updated_slot); // Returns true if the cleared_cells list is non-empty. diff --git a/chromium/v8/src/objects/lookup.cc b/chromium/v8/src/objects/lookup.cc index 81f83302e7b..df9e219d33b 100644 --- a/chromium/v8/src/objects/lookup.cc +++ b/chromium/v8/src/objects/lookup.cc @@ -1264,7 +1264,9 @@ LookupIterator::State LookupIterator::LookupInSpecialHolder( } #endif // V8_ENABLE_WEBASSEMBLY if (map.is_access_check_needed()) { - if (is_element || !name_->IsPrivate(isolate_)) return ACCESS_CHECK; + if (is_element || !name_->IsPrivate(isolate_) || + name_->IsPrivateName(isolate_)) + return ACCESS_CHECK; } V8_FALLTHROUGH; case ACCESS_CHECK: diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc index 4616ef7ab74..d16146114e8 100644 --- a/chromium/v8/src/objects/objects.cc +++ b/chromium/v8/src/objects/objects.cc @@ -6981,7 +6981,7 @@ void JSFinalizationRegistry::RemoveCellFromUnregisterTokenMap( } // weak_cell is now removed from the unregister token map, so clear its - // unregister token-related fields for heap verification. + // unregister token-related fields. weak_cell.set_unregister_token(undefined); weak_cell.set_key_list_prev(undefined); weak_cell.set_key_list_next(undefined); |