Revision: 5150
Author: metaweta
Date: Mon Nov 12 18:53:10 2012
Log: Added SES tests for two Chrome bugs.
http://codereview.appspot.com/6817116
Added SES tests for two Chrome bugs:
1) If you make an array's length read-only and then add an element to
the array, the length gets changed.
2) In non-strict code, this fails:
var x = (function a() {
function a() {} // Should mask outer defn
eval(""); // Just has to be here; removing it changes the behavior
return a;
});
assert(x() !== x);
The first bug is a violation with no known exploit; the second is safe
because we're in strict mode.
R=felix8a
http://code.google.com/p/google-caja/source/detail?r=5150
Modified:
/trunk/src/com/google/caja/ses/repairES5.js
=======================================
--- /trunk/src/com/google/caja/ses/repairES5.js Thu Oct 25 22:17:58 2012
+++ /trunk/src/com/google/caja/ses/repairES5.js Mon Nov 12 18:53:10 2012
@@ -1513,6 +1513,23 @@
}
return false;
}
+ /**
+ * Detects http://code.google.com/p/v8/issues/detail?id=2396
+ *
+ * <p>Commenting out the eval does the right thing. Only fails in
+ * non-strict mode.
+ */
+ function test_EVAL_BREAKS_MASKING() {
+ var x;
+ x = (function a() {
+ function a() {}
+ eval("");
+ return a;
+ });
+ // x() should be the internal function a(), not itself
+ return x() === x;
+ }
+
/**
* Detects http://code.google.com/p/v8/issues/detail?id=1645
@@ -1576,7 +1593,7 @@
}
/**
- * Detects whether callng pop on a frozen array can modify the array.
+ * Detects whether calling pop on a frozen array can modify the array.
* See https://bugs.webkit.org/show_bug.cgi?id=75788
*/
function test_POP_IGNORES_FROZEN() {
@@ -1601,7 +1618,7 @@
* https://bugzilla.mozilla.org/show_bug.cgi?id=590690
* TODO(felix8a): file bug for chrome
*/
- function test_ARRAYS_TOO_MUTABLE() {
+ function test_ARRAYS_DELETE_NONCONFIGURABLE() {
var x = [];
Object.defineProperty(x, 0, { value: 3, configurable: false });
try {
@@ -1609,6 +1626,20 @@
} catch (e) {}
return x.length !== 1 || x[0] !== 3;
}
+
+ /**
+ * In some versions of Chrome, extending an array can
+ * modify a read-only length property.
+ * http://code.google.com/p/v8/issues/detail?id=2379
+ */
+ function test_ARRAYS_MODIFY_READONLY() {
+ var x = [];
+ try {
+ Object.defineProperty(x, 'length', {value: 0, writable: false});
+ x[0] = 1;
+ } catch(e) {}
+ return x.length !== 0 || x[0] !== void 0;
+ }
/**
*
@@ -2969,6 +3000,16 @@
sections: ['10.4.2.1'],
tests: ['S10.4.2.1_A1']
},
+ {
+ description: 'Eval breaks masking of named functions in non-strict
code',
+ test: test_EVAL_BREAKS_MASKING,
+ repair: void 0,
+ preSeverity: severities.SAFE_SPEC_VIOLATION,
+ canRepair: false,
+ urls: ['http://code.google.com/p/v8/issues/detail?id=2396'],
+ sections: ['10.2'],
+ tests: [] // TODO(erights): Add to test262
+ },
{
description: 'parseInt still parsing octal',
test: test_PARSEINT_STILL_PARSING_OCTAL,
@@ -3014,7 +3055,7 @@
},
{
description: 'Setting [].length can delete non-configurable
elements',
- test: test_ARRAYS_TOO_MUTABLE,
+ test: test_ARRAYS_DELETE_NONCONFIGURABLE,
repair: void 0,
preSeverity: severities.NO_KNOWN_EXPLOIT_SPEC_VIOLATION,
canRepair: false,
@@ -3022,6 +3063,16 @@
sections: ['15.4.5.2'],
tests: [] // TODO(erights): Add to test262
},
+ {
+ description: 'Extending an array can modify read-only array length',
+ test: test_ARRAYS_MODIFY_READONLY,
+ repair: void 0,
+ preSeverity: severities.NO_KNOWN_EXPLOIT_SPEC_VIOLATION,
+ canRepair: false,
+ urls: ['http://code.google.com/p/v8/issues/detail?id=2379'],
+ sections: ['15.4.5.1.3.f'],
+ tests: [] // TODO(erights): Add to test262
+ },
{
description: 'Cannot redefine global NaN to itself',
test: test_CANT_REDEFINE_NAN_TO_ITSELF,
