Title: [92618] trunk
- Revision
- 92618
- Author
- oli...@apple.com
- Date
- 2011-08-08 12:09:51 -0700 (Mon, 08 Aug 2011)
Log Message
Non-extensibility does not prevent mutating [[Prototype]]
https://bugs.webkit.org/show_bug.cgi?id=65832
Reviewed by Gavin Barraclough.
../../../../Volumes/Data/git/WebKit/OpenSource/LayoutTests:
Add tests to ensure we can't assign to __proto__ when an object
is not extensible.
* fast/js/preventExtensions-expected.txt:
* fast/js/script-tests/preventExtensions.js:
../../../../Volumes/Data/git/WebKit/OpenSource/Source/_javascript_Core:
Disallow mutation of __proto__ on objects that are not extensible.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (92617 => 92618)
--- trunk/LayoutTests/ChangeLog 2011-08-08 19:09:46 UTC (rev 92617)
+++ trunk/LayoutTests/ChangeLog 2011-08-08 19:09:51 UTC (rev 92618)
@@ -1,3 +1,16 @@
+2011-08-08 Oliver Hunt <oli...@apple.com>
+
+ Non-extensibility does not prevent mutating [[Prototype]]
+ https://bugs.webkit.org/show_bug.cgi?id=65832
+
+ Reviewed by Gavin Barraclough.
+
+ Add tests to ensure we can't assign to __proto__ when an object
+ is not extensible.
+
+ * fast/js/preventExtensions-expected.txt:
+ * fast/js/script-tests/preventExtensions.js:
+
2011-08-08 Jian Li <jia...@chromium.org>
Unreviewed, mark 1 test as flaky in chromium.
Modified: trunk/LayoutTests/fast/js/preventExtensions-expected.txt (92617 => 92618)
--- trunk/LayoutTests/fast/js/preventExtensions-expected.txt 2011-08-08 19:09:46 UTC (rev 92617)
+++ trunk/LayoutTests/fast/js/preventExtensions-expected.txt 2011-08-08 19:09:51 UTC (rev 92618)
@@ -11,6 +11,8 @@
PASS test(seal(obj())) is "(a:1)(b:4)S"
PASS test(freeze(obj())) is "(a:1)(b:2)SF"
PASS Object.preventExtensions(Math.sin) is Math.sin
+PASS var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp; is undefined.
+PASS "use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; threw exception TypeError: Attempted to assign to readonly property..
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/fast/js/script-tests/preventExtensions.js (92617 => 92618)
--- trunk/LayoutTests/fast/js/script-tests/preventExtensions.js 2011-08-08 19:09:46 UTC (rev 92617)
+++ trunk/LayoutTests/fast/js/script-tests/preventExtensions.js 2011-08-08 19:09:51 UTC (rev 92618)
@@ -68,4 +68,7 @@
// check that we can preventExtensions on a host function.
shouldBe('Object.preventExtensions(Math.sin)', 'Math.sin');
+shouldBeUndefined('var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp;');
+shouldThrow('"use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" };');
+
successfullyParsed = true;
\ No newline at end of file
Modified: trunk/Source/_javascript_Core/ChangeLog (92617 => 92618)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-08 19:09:46 UTC (rev 92617)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-08 19:09:51 UTC (rev 92618)
@@ -1,3 +1,15 @@
+2011-08-08 Oliver Hunt <oli...@apple.com>
+
+ Non-extensibility does not prevent mutating [[Prototype]]
+ https://bugs.webkit.org/show_bug.cgi?id=65832
+
+ Reviewed by Gavin Barraclough.
+
+ Disallow mutation of __proto__ on objects that are not extensible.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::put):
+
2011-08-08 Filip Pizlo <fpi...@apple.com>
DFG JIT does not track speculation decisions for global variables
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (92617 => 92618)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2011-08-08 19:09:46 UTC (rev 92617)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2011-08-08 19:09:51 UTC (rev 92618)
@@ -110,6 +110,13 @@
// Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
if (!value.isObject() && !value.isNull())
return;
+
+ if (!isExtensible()) {
+ if (slot.isStrictMode())
+ throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+ return;
+ }
+
if (!setPrototypeWithCycleCheck(exec->globalData(), value))
throwError(exec, createError(exec, "cyclic __proto__ value"));
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
