Fix for Proxy leaking in toString

toString on JS Proxies are leaking, see this sample code: undefined[Function.prototype.toString] undefined[new Proxy(Function.prototype.toString, {})] This change fixes the behavior. Patch credits to Yusif <[email protected]> Change-Id: Id82a0a5c245469973452a3e6609cb91978274b8e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739980 Commit-Queue: Leszek Swirski <[email protected]> Reviewed-by: Leszek Swirski <[email protected]> Cr-Commit-Position: refs/heads/master@{#73625}
v8 · Mar 24, 2021 · 40e499c · 40e499c
1 parent 9ca7465
commit 40e499c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -167,6 +167,7 @@ Milton Chiang <[email protected]>
 Mu Tao <[email protected]>
 Myeong-bo Shim <[email protected]>
 Nicolas Antonius Ernst Leopold Maria Kaiser <[email protected]>
+Niek van der Maas <[email protected]>
 Niklas Hambüchen <[email protected]>
 Noj Vek <[email protected]>
 Oleksandr Chekhovskyi <[email protected]>
@@ -235,6 +236,7 @@ Yi Wang <[email protected]>
 Yong Wang <[email protected]>
 Youfeng Hao <[email protected]>
 Yu Yin <[email protected]>
+Yusif Khudhur <[email protected]>
 Zac Hansen <[email protected]>
 Zeynep Cankara <[email protected]>
 Zhao Jiazhong <[email protected]>

diff --git a/src/objects/objects.cc b/src/objects/objects.cc
@@ -461,6 +461,9 @@ Handle<String> Object::NoSideEffectsToString(Isolate* isolate,
 
   if (input->IsString() || input->IsNumber() || input->IsOddball()) {
     return Object::ToString(isolate, input).ToHandleChecked();
+  } else if (input->IsJSProxy()) {
+    HeapObject target = Handle<JSProxy>::cast(input)->target(isolate);
+    return NoSideEffectsToString(isolate, Handle<Object>(target, isolate));
   } else if (input->IsBigInt()) {
     MaybeHandle<String> maybe_string =
         BigInt::ToString(isolate, Handle<BigInt>::cast(input), 10, kDontThrow);

diff --git a/test/cctest/test-object.cc b/test/cctest/test-object.cc
@@ -77,6 +77,11 @@ TEST(NoSideEffectsToString) {
               "Error: fisk hest");
   CheckObject(isolate, factory->NewJSObject(isolate->object_function()),
               "#<Object>");
+  CheckObject(
+      isolate,
+      factory->NewJSProxy(factory->NewJSObject(isolate->object_function()),
+                          factory->NewJSObject(isolate->object_function())),
+      "#<Object>");
 }
 
 TEST(EnumCache) {