Title: [292950] trunk/Source/_javascript_Core
- Revision
- 292950
- Author
- mark....@apple.com
- Date
- 2022-04-17 14:52:53 -0700 (Sun, 17 Apr 2022)
Log Message
Harden JSObject::setPrototypeOf.
https://bugs.webkit.org/show_bug.cgi?id=239440
Reviewed by Yusuke Suzuki.
* runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeDirect):
(JSC::JSObject::setPrototypeWithCycleCheck):
* runtime/JSObject.h:
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSetPrototypeOf):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (292949 => 292950)
--- trunk/Source/_javascript_Core/ChangeLog 2022-04-17 21:01:10 UTC (rev 292949)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-04-17 21:52:53 UTC (rev 292950)
@@ -1,5 +1,19 @@
2022-04-16 Mark Lam <mark....@apple.com>
+ Harden JSObject::setPrototypeOf.
+ https://bugs.webkit.org/show_bug.cgi?id=239440
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::setPrototypeDirect):
+ (JSC::JSObject::setPrototypeWithCycleCheck):
+ * runtime/JSObject.h:
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorSetPrototypeOf):
+
+2022-04-16 Mark Lam <mark....@apple.com>
+
Fix a deadlock in VMTraps.
https://bugs.webkit.org/show_bug.cgi?id=239421
<rdar://problem/91851592>
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (292949 => 292950)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2022-04-17 21:01:10 UTC (rev 292949)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2022-04-17 21:52:53 UTC (rev 292950)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel (e...@webkit.org)
*
* This library is free software; you can redistribute it and/or
@@ -64,6 +64,7 @@
const ASCIILiteral UnconfigurablePropertyChangeConfigurabilityError { "Attempting to change configurable attribute of unconfigurable property."_s };
const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError { "Attempting to change enumerable attribute of unconfigurable property."_s };
const ASCIILiteral UnconfigurablePropertyChangeWritabilityError { "Attempting to change writable attribute of unconfigurable property."_s };
+const ASCIILiteral PrototypeValueCanOnlyBeAnObjectOrNullTypeError { "Prototype value can only be an object or null"_s };
const ClassInfo JSObject::s_info = { "Object"_s, nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(JSObject) };
@@ -1873,9 +1874,11 @@
void JSObject::setPrototypeDirect(VM& vm, JSValue prototype)
{
- ASSERT(prototype);
+ ASSERT(prototype.isObject() || prototype.isNull());
if (prototype.isObject())
asObject(prototype)->didBecomePrototype();
+ else if (UNLIKELY(!prototype.isNull())) // Conservative hardening.
+ return;
if (structure()->hasMonoProto()) {
DeferredStructureTransitionWatchpointFire deferred(vm, structure());
@@ -1926,6 +1929,12 @@
if (!isExtensible)
return typeError(globalObject, scope, shouldThrowIfCantSet, ReadonlyPropertyWriteError);
+ // Some clients would have already done this check because of the order of the check
+ // specified in their respective specifications. However, we still do this check here
+ // to document and enforce this invariant about the nature of prototype.
+ if (UNLIKELY(!prototype.isObject() && !prototype.isNull()))
+ return typeError(globalObject, scope, shouldThrowIfCantSet, PrototypeValueCanOnlyBeAnObjectOrNullTypeError);
+
JSValue nextPrototype = prototype;
while (nextPrototype && nextPrototype.isObject()) {
if (nextPrototype == this)
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (292949 => 292950)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2022-04-17 21:01:10 UTC (rev 292949)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2022-04-17 21:52:53 UTC (rev 292950)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -83,6 +83,7 @@
extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeConfigurabilityError;
extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError;
extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeWritabilityError;
+extern JS_EXPORT_PRIVATE const ASCIILiteral PrototypeValueCanOnlyBeAnObjectOrNullTypeError;
class JSFinalObject;
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (292949 => 292950)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2022-04-17 21:01:10 UTC (rev 292949)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2022-04-17 21:52:53 UTC (rev 292950)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
- * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2022 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -160,7 +160,7 @@
JSValue protoValue = callFrame->argument(1);
if (!protoValue.isObject() && !protoValue.isNull())
- return throwVMTypeError(globalObject, scope, "Prototype value can only be an object or null"_s);
+ return throwVMTypeError(globalObject, scope, PrototypeValueCanOnlyBeAnObjectOrNullTypeError);
JSObject* object = objectValue.toObject(globalObject);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes