[Backport] Merged: Squashed multiple commits.

Merged: Add test for making private symbols non-enumerable
Revision: 942604dfb2895cf0e56173b271e66804ff41478a

Merged: Make private symbols non-enumerable
Revision: 135b9f9360342089de151990a7bf61c31caa6f1f

BUG=chromium:664411,chromium:664411
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/2498973002 .
(CVE-2016-9651)

Change-Id: I4a543b0e43dd75b798a6642f9dfa282ff23edfa0
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>

1 files changed, 8 insertions, 0 deletions

diff --git a/chromium/v8/src/lookup.cc b/chromium/v8/src/lookup.cc
index 48da4fabeea..3b38c6caf40 100644
--- a/chromium/v8/src/lookup.cc
+++ b/chromium/v8/src/lookup.cc
@@ -223,6 +223,11 @@ void LookupIterator::PrepareTransitionToDataProperty(
     Handle<Object> value, PropertyAttributes attributes,
     Object::StoreFromKeyed store_mode) {
   if (state_ == TRANSITION) return;
+
+  if (!IsElement() && name()->IsPrivate()) {
+    attributes = static_cast<PropertyAttributes>(attributes | DONT_ENUM);
+  }
+
   DCHECK(state_ != LookupIterator::ACCESSOR ||
          (GetAccessors()->IsAccessorInfo() &&
           AccessorInfo::cast(*GetAccessors())->is_special_data_property()));
@@ -303,6 +308,9 @@ void LookupIterator::TransitionToAccessorProperty(
   // handled via a trap. Adding properties to primitive values is not
   // observable.
   Handle<JSObject> receiver = GetStoreTarget();
+  if (!IsElement() && name()->IsPrivate()) {
+    attributes = static_cast<PropertyAttributes>(attributes | DONT_ENUM);
+  }
 
   if (!IsElement() && !receiver->map()->is_dictionary_map()) {
     holder_ = receiver;