[webkit-changes] [209218] branches/safari-602-branch

Thu, 01 Dec 2016 14:56:03 -0800

Title: [209218] branches/safari-602-branch

Diff

Modified: branches/safari-602-branch/LayoutTests/ChangeLog (209217 => 209218)


--- branches/safari-602-branch/LayoutTests/ChangeLog	2016-12-01 22:54:52 UTC (rev 209217)
+++ branches/safari-602-branch/LayoutTests/ChangeLog	2016-12-01 22:55:40 UTC (rev 209218)
@@ -1,5 +1,19 @@
 2016-12-01  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r209149. rdar://problem/29404230
+
+    2016-11-30  Mark Lam  <mark....@apple.com>
+
+            Proxy is not allowed in the global prototype chain.
+            https://bugs.webkit.org/show_bug.cgi?id=165205
+
+            Reviewed by Geoffrey Garen.
+
+            * js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt: Added.
+            * js/dom/proxy-is-not-allowed-in-global-prototype-chain.html: Added.
+
+2016-12-01  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r209145. rdar://problem/29404231
 
     2016-11-30  Brent Fulgham  <bfulg...@apple.com>

Added: branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt (0 => 209218)


--- branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt	2016-12-01 22:55:40 UTC (rev 209218)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: TypeError: Proxy is not allowed in the global prototype chain.
+onerror saw TypeError: Proxy is not allowed in the global prototype chain.
+

Added: branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html (0 => 209218)


--- branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html	2016-12-01 22:55:40 UTC (rev 209218)
@@ -0,0 +1,30 @@
+<pre id="console"></pre>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+window._onerror_ = function(e) {
+	log("onerror saw " + e);
+}
+
+try {
+    var proto = window.__proto__.__proto__.__proto__;
+    proto.__proto__ = new Proxy(proto.__proto__, {
+        has(target, prop) {
+            log("FAIL: proxy saw " + prop);
+        }
+    });
+
+} catch (e) {
+    log("Caught: " + e);
+    log(e.stack);
+}
+
+function log(s)
+{
+    document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
+}
+</script>
+
+<script>var undefined_variable</script>

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (209217 => 209218)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-12-01 22:54:52 UTC (rev 209217)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-12-01 22:55:40 UTC (rev 209218)
@@ -1,3 +1,18 @@
+2016-12-01  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r209149. rdar://problem/29404230
+
+    2016-11-30  Mark Lam  <mark....@apple.com>
+
+            Proxy is not allowed in the global prototype chain.
+            https://bugs.webkit.org/show_bug.cgi?id=165205
+
+            Reviewed by Geoffrey Garen.
+
+            * runtime/ProgramExecutable.cpp:
+            (JSC::ProgramExecutable::initializeGlobalProperties):
+            - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
+
 2016-11-11  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r208619. rdar://problem/29225966

Modified: branches/safari-602-branch/Source/_javascript_Core/runtime/Executable.cpp (209217 => 209218)


--- branches/safari-602-branch/Source/_javascript_Core/runtime/Executable.cpp	2016-12-01 22:54:52 UTC (rev 209217)
+++ branches/safari-602-branch/Source/_javascript_Core/runtime/Executable.cpp	2016-12-01 22:55:40 UTC (rev 209218)
@@ -584,6 +584,15 @@
     RELEASE_ASSERT(globalObject);
     ASSERT(&globalObject->vm() == &vm);
 
+    JSValue nextPrototype = globalObject->getPrototypeDirect();
+    while (nextPrototype && nextPrototype.isObject()) {
+        if (UNLIKELY(asObject(nextPrototype)->type() == ProxyObjectType)) {
+            ExecState* exec = globalObject->globalExec();
+            return createTypeError(exec, ASCIILiteral("Proxy is not allowed in the global prototype chain."));
+        }
+        nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
+    }
+
     JSObject* exception = 0;
     UnlinkedProgramCodeBlock* unlinkedCodeBlock = globalObject->createProgramCodeBlock(callFrame, this, &exception);
     if (exception)
@@ -675,7 +684,7 @@
             RELEASE_ASSERT(offsetForAssert == offset);
         }
     }
-    return 0;
+    return nullptr;
 }
 
 void ProgramExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to