[webkit-changes] [211937] releases/WebKitGTK/webkit-2.14

Thu, 09 Feb 2017 00:55:15 -0800

Title: [211937] releases/WebKitGTK/webkit-2.14
Revision
211937
Author
[email protected]
Date
2017-02-09 00:55:07 -0800 (Thu, 09 Feb 2017)

Log Message

Merge r209149 - Proxy is not allowed in the global prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=165205

Reviewed by Geoffrey Garen.

Source/_javascript_Core:

* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
- We'll now throw a TypeError if we detect a Proxy in the global prototype chain.

LayoutTests:

* js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt: Added.
* js/dom/proxy-is-not-allowed-in-global-prototype-chain.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (211936 => 211937)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog	2017-02-09 08:54:57 UTC (rev 211936)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog	2017-02-09 08:55:07 UTC (rev 211937)
@@ -1,3 +1,13 @@
+2016-11-30  Mark Lam  <[email protected]>
+
+        Proxy is not allowed in the global prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=165205
+
+        Reviewed by Geoffrey Garen.
+
+        * js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt: Added.
+        * js/dom/proxy-is-not-allowed-in-global-prototype-chain.html: Added.
+
 2016-11-14  Brent Fulgham  <[email protected]>
 
         Correct handling of changing input type

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt (0 => 211937)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt	2017-02-09 08:55:07 UTC (rev 211937)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: TypeError: Proxy is not allowed in the global prototype chain.
+onerror saw TypeError: Proxy is not allowed in the global prototype chain.
+

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html (0 => 211937)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html	2017-02-09 08:55:07 UTC (rev 211937)
@@ -0,0 +1,30 @@
+<pre id="console"></pre>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+window._onerror_ = function(e) {
+	log("onerror saw " + e);
+}
+
+try {
+    var proto = window.__proto__.__proto__.__proto__;
+    proto.__proto__ = new Proxy(proto.__proto__, {
+        has(target, prop) {
+            log("FAIL: proxy saw " + prop);
+        }
+    });
+
+} catch (e) {
+    log("Caught: " + e);
+    log(e.stack);
+}
+
+function log(s)
+{
+    document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
+}
+</script>
+
+<script>var undefined_variable</script>

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (211936 => 211937)


--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2017-02-09 08:54:57 UTC (rev 211936)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2017-02-09 08:55:07 UTC (rev 211937)
@@ -1,3 +1,14 @@
+2016-11-30  Mark Lam  <[email protected]>
+
+        Proxy is not allowed in the global prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=165205
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
+
 2016-10-27  Mark Lam  <[email protected]>
 
         JSFunction::put() should not allow caching of lazily reified properties.

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/Executable.cpp (211936 => 211937)


--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/Executable.cpp	2017-02-09 08:54:57 UTC (rev 211936)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/Executable.cpp	2017-02-09 08:55:07 UTC (rev 211937)
@@ -587,6 +587,15 @@
     RELEASE_ASSERT(globalObject);
     ASSERT(&globalObject->vm() == &vm);
 
+    JSValue nextPrototype = globalObject->getPrototypeDirect();
+    while (nextPrototype && nextPrototype.isObject()) {
+        if (UNLIKELY(asObject(nextPrototype)->type() == ProxyObjectType)) {
+            ExecState* exec = globalObject->globalExec();
+            return createTypeError(exec, ASCIILiteral("Proxy is not allowed in the global prototype chain."));
+        }
+        nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
+    }
+
     JSObject* exception = 0;
     UnlinkedProgramCodeBlock* unlinkedCodeBlock = globalObject->createProgramCodeBlock(callFrame, this, &exception);
     if (exception)
@@ -678,7 +687,7 @@
             RELEASE_ASSERT(offsetForAssert == offset);
         }
     }
-    return 0;
+    return nullptr;
 }
 
 void ProgramExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to