[v8-dev] Issue 174 in v8: Uninitialized accessing of PropertyAttributes in ic.

Sun, 07 Dec 2008 06:12:45 -0800 

Status: New
Owner: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Labels: Type-Bug Priority-Medium

New issue 174 by [EMAIL PROTECTED]: Uninitialized accessing of  
PropertyAttributes in ic.
http://code.google.com/p/v8/issues/detail?id=174

We have code that looks something like:

   if (lookup.type() == INTERCEPTOR) {
     // Get the property.
     PropertyAttributes attr;
     result = object->GetProperty(*name, &attr);
     if (result->IsFailure()) return result;
     // If the object does not have the requested property, check which
     // exception we need to throw.
     if (attr == ABSENT) {
       if (is_contextual()) {
         return ReferenceError("not_defined", name);
       }
       return TypeError("undefined_method", object, name);
     }

It seems that for the case of cross-domain security checks, GetProperty can
return a non failure without assigning to attr.  For example, in:

Object* Object::GetProperty(Object* receiver,
                             LookupResult* result,
                             String* name,
                             PropertyAttributes* attributes) {

When walking the prototype and deciding an access check is needed, when can
return via GetPropertyWithFailedAccessCheck without having touched
attributes.

Breaking on objects.cc:403 (the return case for failed access check),

#0  v8::internal::Object::GetProperty (this=0xf4c07be1,
receiver=0xf4c07be1,
     result=0xffffb818, name=0xf4d52b69, attributes=0xffffb918)
     at v8/src/objects.cc:405
(gdb) print *attributes
$2 = 4100555492

Following it down a few frames, we can see we end up with an uninitialized
attr variable in the ABSENT check:

          if (attr == ABSENT) {

#0  v8::internal::CallIC::LoadFunction (this=0xffffb968,
     state=v8::internal::UNINITIALIZED, object={location_ = 0xffffb9c0},
name=
       {location_ = 0xffffb9bc})
     at v8/src/ic.cc:328
(gdb) print attr
$8 = 4100555492

It should also be easy to reproduce this by adding a DCHECK(attr <= ABSENT)
before all of the uses of ABSENT in ic.cc, and chances are the
uninitialized stack data should not be within the valid range of a
PropertyAttributes.

A layout test that should reproduce this easily is:

LayoutTests/http/tests/messaging/cross-domain-message-send.html


-- 
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to