[webkit-changes] [222175] trunk/Source/JavaScriptCore

[utatane . tea]

Title: [222175] trunk/Source/_javascript_Core

Revision

222175

Author

utatane....@gmail.com

Date

2017-09-18 13:06:34 -0700 (Mon, 18 Sep 2017)

Log Message

[JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=177070

Reviewed by Saam Barati.

Due to the security reason, our global object is immutable prototype exotic object.
It prevents users from injecting proxies into the prototype chain of the global object[1].
But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
of the global object after instantiating it.

This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
edge cases.

[1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d

* API/JSObjectRef.cpp:
(JSObjectSetPrototype):
* API/tests/CustomGlobalObjectClassTest.c:
(globalObjectSetPrototypeTest):

Modified Paths

• trunk/Source/_javascript_Core/API/JSObjectRef.cpp
• trunk/Source/_javascript_Core/API/tests/CustomGlobalObjectClassTest.c
• trunk/Source/_javascript_Core/ChangeLog

Diff

Modified: trunk/Source/_javascript_Core/API/JSObjectRef.cpp (222174 => 222175)

--- trunk/Source/_javascript_Core/API/JSObjectRef.cpp	2017-09-18 19:35:18 UTC (rev 222174)
+++ trunk/Source/_javascript_Core/API/JSObjectRef.cpp	2017-09-18 20:06:34 UTC (rev 222175)
@@ -267,16 +267,8 @@
 
     JSObject* jsObject = toJS(object);
     JSValue jsValue = toJS(exec, value);
-
-    if (JSProxy* proxy = jsDynamicCast<JSProxy*>(vm, jsObject)) {
-        if (JSGlobalObject* globalObject = jsDynamicCast<JSGlobalObject*>(vm, proxy->target())) {
-            globalObject->resetPrototype(vm, jsValue.isObject() ? jsValue : jsNull());
-            return;
-        }
-        // Someday we might use proxies for something other than JSGlobalObjects, but today is not that day.
-        RELEASE_ASSERT_NOT_REACHED();
-    }
     jsObject->setPrototype(vm, exec, jsValue.isObject() ? jsValue : jsNull());
+    handleExceptionIfNeeded(exec, nullptr);
 }
 
 bool JSObjectHasProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName)

Modified: trunk/Source/_javascript_Core/API/tests/CustomGlobalObjectClassTest.c (222174 => 222175)

--- trunk/Source/_javascript_Core/API/tests/CustomGlobalObjectClassTest.c	2017-09-18 19:35:18 UTC (rev 222174)
+++ trunk/Source/_javascript_Core/API/tests/CustomGlobalObjectClassTest.c	2017-09-18 20:06:34 UTC (rev 222175)
@@ -110,19 +110,11 @@
     JSGlobalContextRef context = JSGlobalContextCreate(global);
     JSObjectRef object = JSContextGetGlobalObject(context);
 
+    JSValueRef originalPrototype = JSObjectGetPrototype(context, object);
     JSObjectRef above = JSObjectMake(context, 0, 0);
-    JSStringRef test = JSStringCreateWithUTF8CString("test");
-    JSValueRef value = JSValueMakeString(context, test);
-    JSObjectSetProperty(context, above, test, value, kJSPropertyAttributeDontEnum, 0);
-
     JSObjectSetPrototype(context, object, above);
-    JSStringRef script = JSStringCreateWithUTF8CString("test === \"test\"");
-    JSValueRef result = JSEvaluateScript(context, script, 0, 0, 0, 0);
-
-    assertTrue(JSValueToBoolean(context, result), "test === \"test\"");
-
-    JSStringRelease(test);
-    JSStringRelease(script);
+    JSValueRef prototypeAfterChangingAttempt = JSObjectGetPrototype(context, object);
+    assertTrue(JSValueIsStrictEqual(context, prototypeAfterChangingAttempt, originalPrototype), "Global object's [[Prototype]] cannot be changed after instantiating it");
 }
 
 void globalObjectPrivatePropertyTest()

Modified: trunk/Source/_javascript_Core/ChangeLog (222174 => 222175)

--- trunk/Source/_javascript_Core/ChangeLog	2017-09-18 19:35:18 UTC (rev 222174)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-09-18 20:06:34 UTC (rev 222175)
@@ -1,3 +1,26 @@
+2017-09-18  Yusuke Suzuki  <utatane....@gmail.com>
+
+        [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
+        https://bugs.webkit.org/show_bug.cgi?id=177070
+
+        Reviewed by Saam Barati.
+
+        Due to the security reason, our global object is immutable prototype exotic object.
+        It prevents users from injecting proxies into the prototype chain of the global object[1].
+        But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
+        of the global object after instantiating it.
+
+        This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
+        of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
+        edge cases.
+
+        [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
+
+        * API/JSObjectRef.cpp:
+        (JSObjectSetPrototype):
+        * API/tests/CustomGlobalObjectClassTest.c:
+        (globalObjectSetPrototypeTest):
+
 2017-09-17  Yusuke Suzuki  <utatane....@gmail.com>
 
         [DFG] Remove ToThis more aggressively

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes