Log Message
Make $vm properties non-configurable, non-enumerable, and non-writable. https://bugs.webkit.org/show_bug.cgi?id=213395
Reviewed by Saam Barati and Yusuke Suzuki. JSTests: * stress/dollarVM-properties-should-not-be-enumerable.js: Added. Source/_javascript_Core: $vm provides functions for test development and VM debugging. There's no reason for them to be configurable, enumerable, and writable. We particularly don't want them to be enumerable as this can trip up some fuzzers. Fuzzers should not be fuzzing the $vm object which doesn't exist in real world uses of _javascript_Core. * tools/JSDollarVM.cpp: (JSC::JSDollarVM::finishCreation): (JSC::JSDollarVM::addFunction): (JSC::JSDollarVM::addConstructibleFunction):
Modified Paths
- trunk/JSTests/ChangeLog
- trunk/Source/_javascript_Core/ChangeLog
- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (263282 => 263283)
--- trunk/JSTests/ChangeLog 2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/JSTests/ChangeLog 2020-06-19 21:00:21 UTC (rev 263283)
@@ -1,3 +1,12 @@
+2020-06-19 Mark Lam <mark....@apple.com>
+
+ Make $vm properties non-configurable, non-enumerable, and non-writable.
+ https://bugs.webkit.org/show_bug.cgi?id=213395
+
+ Reviewed by Saam Barati and Yusuke Suzuki.
+
+ * stress/dollarVM-properties-should-not-be-enumerable.js: Added.
+
2020-06-18 Saam Barati <sbar...@apple.com>
sampling-profiler-wasm-name-section should run for more iterations
Added: trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js (0 => 263283)
--- trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js (rev 0)
+++ trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js 2020-06-19 21:00:21 UTC (rev 263283)
@@ -0,0 +1,28 @@
+//@ runDefault
+
+const descriptors = Object.getOwnPropertyDescriptors($vm);
+
+var success = true;
+
+for (prop in descriptors) {
+ let descriptor = descriptors[prop];
+ var expected = !descriptor.configurable && !descriptor.enumerable && !descriptor.writable;
+ if (!expected) {
+ print(" --- " + prop + " --- ", descriptors[prop]);
+ if (descriptor.configurable)
+ print(" $vm." + prop + " should not be configurable.");
+ if (descriptor.enumerable)
+ print(" $vm." + prop + " should not be enumerable.");
+ if (descriptor.writable)
+ print(" $vm." + prop + " should not be writable.");
+ }
+ success = success && !descriptor.configurable && !descriptor.enumerable && !descriptor.writable;
+}
+
+for (prop in $vm) {
+ print("$vm." + prop + " should not be enumerable.");
+ success = false;
+}
+
+if (!success)
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (263282 => 263283)
--- trunk/Source/_javascript_Core/ChangeLog 2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-06-19 21:00:21 UTC (rev 263283)
@@ -1,3 +1,22 @@
+2020-06-19 Mark Lam <mark....@apple.com>
+
+ Make $vm properties non-configurable, non-enumerable, and non-writable.
+ https://bugs.webkit.org/show_bug.cgi?id=213395
+
+ Reviewed by Saam Barati and Yusuke Suzuki.
+
+ $vm provides functions for test development and VM debugging. There's no reason
+ for them to be configurable, enumerable, and writable.
+
+ We particularly don't want them to be enumerable as this can trip up some fuzzers.
+ Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
+ uses of _javascript_Core.
+
+ * tools/JSDollarVM.cpp:
+ (JSC::JSDollarVM::finishCreation):
+ (JSC::JSDollarVM::addFunction):
+ (JSC::JSDollarVM::addConstructibleFunction):
+
2020-06-19 Tuomas Karkkainen <tuomas.web...@apple.com>
functionCpuClflush checks that the second argument is Int32 but it actually expects it to be UInt32
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (263282 => 263283)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-06-19 21:00:21 UTC (rev 263283)
@@ -3094,6 +3094,8 @@
#endif
}
+constexpr unsigned jsDollarVMPropertyAttributes = PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum | PropertyAttribute::DontDelete;
+
void JSDollarVM::finishCreation(VM& vm)
{
DollarVMAssertScope assertScope;
@@ -3114,13 +3116,13 @@
addFunction(vm, "crash", functionCrash, 0);
addFunction(vm, "breakpoint", functionBreakpoint, 0);
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, jsDollarVMPropertyAttributes);
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, jsDollarVMPropertyAttributes);
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, 0);
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, 0);
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, 0);
- putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, 0);
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, jsDollarVMPropertyAttributes);
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, jsDollarVMPropertyAttributes);
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, jsDollarVMPropertyAttributes);
+ putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, jsDollarVMPropertyAttributes);
addFunction(vm, "cpuClflush", functionCpuClflush, 2);
addFunction(vm, "llintTrue", functionLLintTrue, 0);
@@ -3243,7 +3245,7 @@
{
DollarVMAssertScope assertScope;
Identifier identifier = Identifier::fromString(vm, name);
- putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function));
+ putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function), jsDollarVMPropertyAttributes);
}
void JSDollarVM::addConstructibleFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
@@ -3250,7 +3252,7 @@
{
DollarVMAssertScope assertScope;
Identifier identifier = Identifier::fromString(vm, name);
- putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function));
+ putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function), jsDollarVMPropertyAttributes);
}
void JSDollarVM::visitChildren(JSCell* cell, SlotVisitor& visitor)
_______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes