Reviewers: felix8a,
Description:
Added SES tests for two Chrome bugs:
1) If you make an array's length read-only and then add an element to
the array, the length gets changed.
2) In non-strict code, this fails:
var x = (function a() {
function a() {} // Should mask outer defn
eval(""); // Just has to be here; removing it changes the behavior
return a;
});
assert(x() !== x);
The first bug is a violation with no known exploit; the second is safe
because we're in strict mode.
Please review this at http://codereview.appspot.com/6817116/
Affected files:
M src/com/google/caja/ses/repairES5.js
Index: src/com/google/caja/ses/repairES5.js
===================================================================
--- src/com/google/caja/ses/repairES5.js (revision 5149)
+++ src/com/google/caja/ses/repairES5.js (working copy)
@@ -1513,7 +1513,24 @@
}
return false;
}
+ /**
+ * Detects http://code.google.com/p/v8/issues/detail?id=2396
+ *
+ * <p>Commenting out the eval does the right thing. Only fails in
+ * non-strict mode.
+ */
+ function test_EVAL_BREAKS_MASKING() {
+ var x;
+ x = (function a() {
+ function a() {}
+ eval("");
+ return a;
+ });
+ // x() should be the internal function a(), not itself
+ return x() === x;
+ }
+
/**
* Detects http://code.google.com/p/v8/issues/detail?id=1645
*/
@@ -1576,7 +1593,7 @@
}
/**
- * Detects whether callng pop on a frozen array can modify the array.
+ * Detects whether calling pop on a frozen array can modify the array.
* See https://bugs.webkit.org/show_bug.cgi?id=75788
*/
function test_POP_IGNORES_FROZEN() {
@@ -1601,7 +1618,7 @@
* https://bugzilla.mozilla.org/show_bug.cgi?id=590690
* TODO(felix8a): file bug for chrome
*/
- function test_ARRAYS_TOO_MUTABLE() {
+ function test_ARRAYS_DELETE_NONCONFIGURABLE() {
var x = [];
Object.defineProperty(x, 0, { value: 3, configurable: false });
try {
@@ -1611,6 +1628,20 @@
}
/**
+ * In some versions of Chrome, extending an array can
+ * modify a read-only length property.
+ * http://code.google.com/p/v8/issues/detail?id=2379
+ */
+ function test_ARRAYS_MODIFY_READONLY() {
+ var x = [];
+ try {
+ Object.defineProperty(x, 'length', {value: 0, writable: false});
+ x[0] = 1;
+ } catch(e) {}
+ return x.length !== 0 || x[0] !== void 0;
+ }
+
+ /**
*
*/
function test_CANT_REDEFINE_NAN_TO_ITSELF() {
@@ -2970,6 +3001,16 @@
tests: ['S10.4.2.1_A1']
},
{
+ description: 'Eval breaks masking of named functions in non-strict
code',
+ test: test_EVAL_BREAKS_MASKING,
+ repair: void 0,
+ preSeverity: severities.SAFE_SPEC_VIOLATION,
+ canRepair: false,
+ urls: ['http://code.google.com/p/v8/issues/detail?id=2396'],
+ sections: ['10.2'],
+ tests: [] // TODO(erights): Add to test262
+ },
+ {
description: 'parseInt still parsing octal',
test: test_PARSEINT_STILL_PARSING_OCTAL,
repair: repair_PARSEINT_STILL_PARSING_OCTAL,
@@ -3014,7 +3055,7 @@
},
{
description: 'Setting [].length can delete non-configurable
elements',
- test: test_ARRAYS_TOO_MUTABLE,
+ test: test_ARRAYS_DELETE_NONCONFIGURABLE,
repair: void 0,
preSeverity: severities.NO_KNOWN_EXPLOIT_SPEC_VIOLATION,
canRepair: false,
@@ -3023,6 +3064,16 @@
tests: [] // TODO(erights): Add to test262
},
{
+ description: 'Extending an array can modify read-only array length',
+ test: test_ARRAYS_MODIFY_READONLY,
+ repair: void 0,
+ preSeverity: severities.NO_KNOWN_EXPLOIT_SPEC_VIOLATION,
+ canRepair: false,
+ urls: ['http://code.google.com/p/v8/issues/detail?id=2379'],
+ sections: ['15.4.5.1.3.f'],
+ tests: [] // TODO(erights): Add to test262
+ },
+ {
description: 'Cannot redefine global NaN to itself',
test: test_CANT_REDEFINE_NAN_TO_ITSELF,
repair: repair_CANT_REDEFINE_NAN_TO_ITSELF,
