From bda45b510c10a79faab0b8b8542bf94f4a1c18d2 Mon Sep 17 00:00:00 2001
From: Cristian Cavalli <cristiancavall@google.com>
Date: Wed, 2 Nov 2016 11:15:54 -0700
Subject: [PATCH] deps: backport 5c8cb16 from upstream V8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original Commit Message:
  [ic] Don't call LookupIterator::GetStoreTarget() when receiver is not a JSReceiver.

  BUG=chromium:619166,chromium:625155

  Review-Url: https://codereview.chromium.org/2175273002
  Cr-Commit-Position: refs/heads/master@{#38018}

PR-URL: https://github.com/nodejs/node/pull/9422
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
---
 deps/v8/include/v8-version.h                 |  2 +-
 deps/v8/src/lookup.h                         |  1 +
 deps/v8/src/objects.cc                       | 17 ++++++++++++++++-
 deps/v8/test/cctest/test-api-interceptors.cc | 19 +++++++++++++++++++
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 353e3392ad7373..993f4f20091205 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 5
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 281
-#define V8_PATCH_LEVEL 85
+#define V8_PATCH_LEVEL 86
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/lookup.h b/deps/v8/src/lookup.h
index abd073284d4a82..3fbd9b41002f92 100644
--- a/deps/v8/src/lookup.h
+++ b/deps/v8/src/lookup.h
@@ -179,6 +179,7 @@ class LookupIterator final BASE_EMBEDDED {
   Handle<Object> GetReceiver() const { return receiver_; }
 
   Handle<JSObject> GetStoreTarget() const {
+    DCHECK(receiver->IsJSObject());
     if (receiver_->IsJSGlobalProxy()) {
       Map* map = JSGlobalProxy::cast(*receiver_)->map();
       if (map->has_hidden_prototype()) {
diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc
index 51993f3f329ca5..fa45a091b12dfc 100644
--- a/deps/v8/src/objects.cc
+++ b/deps/v8/src/objects.cc
@@ -4214,11 +4214,20 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
         return JSProxy::SetProperty(it->GetHolder<JSProxy>(), it->GetName(),
                                     value, it->GetReceiver(), language_mode);
 
-      case LookupIterator::INTERCEPTOR:
+      case LookupIterator::INTERCEPTOR: {
+        Handle<Map> store_target_map;
+        if (it->GetReceiver()->IsJSObject()) {
+          store_target_map = handle(it->GetStoreTarget()->map(), it->isolate());
+        }
         if (it->HolderIsReceiverOrHiddenPrototype()) {
           Maybe<bool> result =
               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
           if (result.IsNothing() || result.FromJust()) return result;
+          Utils::ApiCheck(store_target_map.is_null() ||
+                              *store_target_map == it->GetStoreTarget()->map(),
+                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
+                                          : "v8::NamedPropertySetterCallback",
+                          "Interceptor silently changed store target.");
         } else {
           Maybe<PropertyAttributes> maybe_attributes =
               JSObject::GetPropertyAttributesWithInterceptor(it);
@@ -4227,10 +4236,16 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
           if ((maybe_attributes.FromJust() & READ_ONLY) != 0) {
             return WriteToReadOnlyProperty(it, value, should_throw);
           }
+          Utils::ApiCheck(store_target_map.is_null() ||
+                              *store_target_map == it->GetStoreTarget()->map(),
+                          it->IsElement() ? "v8::IndexedPropertySetterCallback"
+                                          : "v8::NamedPropertySetterCallback",
+                          "Interceptor silently changed store target.");
           *found = false;
           return Nothing<bool>();
         }
         break;
+      }
 
       case LookupIterator::ACCESSOR: {
         if (it->IsReadOnly()) {
diff --git a/deps/v8/test/cctest/test-api-interceptors.cc b/deps/v8/test/cctest/test-api-interceptors.cc
index a1894fad1adce4..c1aa0d69269964 100644
--- a/deps/v8/test/cctest/test-api-interceptors.cc
+++ b/deps/v8/test/cctest/test-api-interceptors.cc
@@ -3245,6 +3245,25 @@ THREADED_TEST(Regress149912) {
   CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
 }
 
+THREADED_TEST(Regress625155) {
+  LocalContext context;
+  v8::HandleScope scope(context->GetIsolate());
+  Local<FunctionTemplate> templ = FunctionTemplate::New(context->GetIsolate());
+  AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+  context->Global()
+      ->Set(context.local(), v8_str("Bug"),
+            templ->GetFunction(context.local()).ToLocalChecked())
+      .FromJust();
+  CompileRun(
+      "Number.prototype.__proto__ = new Bug;"
+      "var x;"
+      "x = 0xdead;"
+      "x.boom = 0;"
+      "x = 's';"
+      "x.boom = 0;"
+      "x = 1.5;"
+      "x.boom = 0;");
+}
 
 THREADED_TEST(Regress125988) {
   v8::HandleScope scope(CcTest::isolate());