Log Message
Merge r246040 - [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect https://bugs.webkit.org/show_bug.cgi?id=198477 <rdar://problem/51299504>
Reviewed by Saam Barati. Source/_javascript_Core: JSObject::attemptToInterceptPutByIndexOnHole uses getPrototypeDirect, but it should use getPrototype to handle getPrototype methods in derived JSObject classes correctly. * runtime/JSArrayInlines.h: (JSC::JSArray::pushInline): * runtime/JSObject.cpp: (JSC::JSObject::putByIndex): (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype): (JSC::JSObject::attemptToInterceptPutByIndexOnHole): (JSC::JSObject::putByIndexBeyondVectorLength): LayoutTests: Ensure that JSWindow::getPrototype is used. * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt: Added. * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html: Added. * http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html: Added.
Modified Paths
- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog
- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog
- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSArrayInlines.h
- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSObject.cpp
Added Paths
- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt
- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html
- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html
Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (248231 => 248232)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-08-04 03:23:10 UTC (rev 248231)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-08-04 03:23:13 UTC (rev 248232)
@@ -1,3 +1,17 @@
+2019-06-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
+ https://bugs.webkit.org/show_bug.cgi?id=198477
+ <rdar://problem/51299504>
+
+ Reviewed by Saam Barati.
+
+ Ensure that JSWindow::getPrototype is used.
+
+ * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt: Added.
+ * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html: Added.
+ * http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html: Added.
+
2019-05-20 Chris Dumez <[email protected]>
Fix security check in ScriptController::canAccessFromCurrentOrigin()
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt (0 => 248232)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt 2019-08-04 03:23:13 UTC (rev 248232)
@@ -0,0 +1,6 @@
+This tests that you can't get the prototype of the window during [[Put]] operation.
+
+PASS: successfullyParsed should be 'true' and is.
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html (0 => 248232)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html 2019-08-04 03:23:13 UTC (rev 248232)
@@ -0,0 +1,42 @@
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script>
+ jsTestIsAsync = true;
+
+ // Set up listener for message from iframe
+ addEventListener('message', function(event) {
+ if (event.data == "finishedLoad")
+ doTest();
+ }, false);
+
+
+ doTest = function()
+ {
+ targetWindow = document.getElementById("target").contentWindow;
+ var array = [];
+ array.__proto__.__proto__ = targetWindow;
+ array[0] = 11.11;
+ array[2] = 22.22;
+ array[10101010] = {
+ toString() {
+ testFailed("toString is called by 10101010 setter");
+ }
+ };
+ array["cocoa"] = {
+ toString() {
+ testFailed("toString is called by cocoa setter");
+ }
+ };
+ finishJSTest();
+ }
+ </script>
+</head>
+<body>
+ <div>This tests that you can't get the prototype of the window during [[Put]] operation.</div>
+ <iframe id="target" src=""
+ <pre id="console"></pre>
+ <script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html (0 => 248232)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html 2019-08-04 03:23:13 UTC (rev 248232)
@@ -0,0 +1,23 @@
+<html>
+<head>
+ <script>
+ _onload_ = function()
+ {
+ Object.defineProperty(Object.prototype, 10101010, {
+ set: function (v) {
+ return 'a' + v;
+ }
+ });
+ Object.defineProperty(Object.prototype, "cocoa", {
+ set: function (v) {
+ return 'a' + v;
+ }
+ });
+ parent.postMessage("finishedLoad", "*");
+ }
+ </script>
+</head>
+<body>
+ Body
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (248231 => 248232)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-08-04 03:23:10 UTC (rev 248231)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-08-04 03:23:13 UTC (rev 248232)
@@ -1,3 +1,22 @@
+2019-06-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
+ https://bugs.webkit.org/show_bug.cgi?id=198477
+ <rdar://problem/51299504>
+
+ Reviewed by Saam Barati.
+
+ JSObject::attemptToInterceptPutByIndexOnHole uses getPrototypeDirect, but it should use getPrototype to
+ handle getPrototype methods in derived JSObject classes correctly.
+
+ * runtime/JSArrayInlines.h:
+ (JSC::JSArray::pushInline):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putByIndex):
+ (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+ (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
+ (JSC::JSObject::putByIndexBeyondVectorLength):
+
2019-06-25 Michael Catanzaro <[email protected]>
REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSArrayInlines.h (248231 => 248232)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSArrayInlines.h 2019-08-04 03:23:10 UTC (rev 248231)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSArrayInlines.h 2019-08-04 03:23:13 UTC (rev 248232)
@@ -212,8 +212,10 @@
case ArrayWithSlowPutArrayStorage: {
unsigned oldLength = length();
bool putResult = false;
- if (attemptToInterceptPutByIndexOnHole(exec, oldLength, value, true, putResult)) {
- if (!scope.exception() && oldLength < 0xFFFFFFFFu) {
+ bool result = attemptToInterceptPutByIndexOnHole(exec, oldLength, value, true, putResult);
+ RETURN_IF_EXCEPTION(scope, void());
+ if (result) {
+ if (oldLength < 0xFFFFFFFFu) {
scope.release();
setLength(exec, oldLength + 1, true);
}
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSObject.cpp (248231 => 248232)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSObject.cpp 2019-08-04 03:23:10 UTC (rev 248231)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSObject.cpp 2019-08-04 03:23:13 UTC (rev 248232)
@@ -916,11 +916,15 @@
WriteBarrier<Unknown>& valueSlot = storage->m_vector[propertyName];
unsigned length = storage->length();
+
+ auto scope = DECLARE_THROW_SCOPE(vm);
// Update length & m_numValuesInVector as necessary.
if (propertyName >= length) {
bool putResult = false;
- if (thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult))
+ bool result = thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult);
+ RETURN_IF_EXCEPTION(scope, false);
+ if (result)
return putResult;
length = propertyName + 1;
storage->setLength(length);
@@ -927,7 +931,9 @@
++storage->m_numValuesInVector;
} else if (!valueSlot) {
bool putResult = false;
- if (thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult))
+ bool result = thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult);
+ RETURN_IF_EXCEPTION(scope, false);
+ if (result)
return putResult;
++storage->m_numValuesInVector;
}
@@ -2676,6 +2682,8 @@
bool JSObject::attemptToInterceptPutByIndexOnHoleForPrototype(ExecState* exec, JSValue thisValue, unsigned i, JSValue value, bool shouldThrow, bool& putResult)
{
VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
for (JSObject* current = this; ;) {
// This has the same behavior with respect to prototypes as JSObject::put(). It only
// allows a prototype to intercept a put if (a) the prototype declares the property
@@ -2686,6 +2694,7 @@
if (storage && storage->m_sparseMap) {
SparseArrayValueMap::iterator iter = storage->m_sparseMap->find(i);
if (iter != storage->m_sparseMap->notFound() && (iter->value.attributes() & (PropertyAttribute::Accessor | PropertyAttribute::ReadOnly))) {
+ scope.release();
putResult = iter->value.put(exec, thisValue, storage->m_sparseMap.get(), value, shouldThrow);
return true;
}
@@ -2692,12 +2701,14 @@
}
if (current->type() == ProxyObjectType) {
+ scope.release();
ProxyObject* proxy = jsCast<ProxyObject*>(current);
putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow);
return true;
}
- JSValue prototypeValue = current->getPrototypeDirect(vm);
+ JSValue prototypeValue = current->getPrototype(vm, exec);
+ RETURN_IF_EXCEPTION(scope, false);
if (prototypeValue.isNull())
return false;
@@ -2707,11 +2718,15 @@
bool JSObject::attemptToInterceptPutByIndexOnHole(ExecState* exec, unsigned i, JSValue value, bool shouldThrow, bool& putResult)
{
- JSValue prototypeValue = getPrototypeDirect(exec->vm());
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
+ JSValue prototypeValue = getPrototype(vm, exec);
+ RETURN_IF_EXCEPTION(scope, false);
if (prototypeValue.isNull())
return false;
- return asObject(prototypeValue)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, this, i, value, shouldThrow, putResult);
+ RELEASE_AND_RETURN(scope, asObject(prototypeValue)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, this, i, value, shouldThrow, putResult));
}
template<IndexingType indexingShape>
@@ -2897,10 +2912,16 @@
case NonArrayWithSlowPutArrayStorage:
case ArrayWithSlowPutArrayStorage: {
// No own property present in the vector, but there might be in the sparse map!
+ auto scope = DECLARE_THROW_SCOPE(vm);
SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get();
bool putResult = false;
- if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow, putResult))
- return putResult;
+ if (!(map && map->contains(i))) {
+ bool result = attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow, putResult);
+ RETURN_IF_EXCEPTION(scope, false);
+ if (result)
+ return putResult;
+ }
+ scope.release();
FALLTHROUGH;
}
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
