- Revision
- 250543
- Author
- tzaga...@apple.com
- Date
- 2019-09-30 21:06:25 -0700 (Mon, 30 Sep 2019)
Log Message
Make assertion in JSObject::putOwnDataProperty more precise
https://bugs.webkit.org/show_bug.cgi?id=202379
<rdar://problem/49515980>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/object-assign-target-proto-setter.js: Added.
(get Object):
Source/_javascript_Core:
Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
too conservative. All we need to prove is that the property being inserted either does not exist
in the target object or is neither an accessor nor read-only.
* runtime/JSObject.h:
(JSC::JSObject::putOwnDataProperty): Deleted.
(JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::validatePutOwnDataProperty):
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putOwnDataPropertyMayBeIndex):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (250542 => 250543)
--- trunk/JSTests/ChangeLog 2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/JSTests/ChangeLog 2019-10-01 04:06:25 UTC (rev 250543)
@@ -1,3 +1,14 @@
+2019-09-30 Tadeu Zagallo <tzaga...@apple.com>
+
+ Make assertion in JSObject::putOwnDataProperty more precise
+ https://bugs.webkit.org/show_bug.cgi?id=202379
+ <rdar://problem/49515980>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/object-assign-target-proto-setter.js: Added.
+ (get Object):
+
2019-09-30 Yusuke Suzuki <ysuz...@apple.com>
[JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
Added: trunk/JSTests/stress/object-assign-target-proto-setter.js (0 => 250543)
--- trunk/JSTests/stress/object-assign-target-proto-setter.js (rev 0)
+++ trunk/JSTests/stress/object-assign-target-proto-setter.js 2019-10-01 04:06:25 UTC (rev 250543)
@@ -0,0 +1,3 @@
+const x = {};
+Object.defineProperty(x, '__proto__', {get: ()=>{}});
+Object.assign(x, { get: ()=> {} });
Modified: trunk/Source/_javascript_Core/ChangeLog (250542 => 250543)
--- trunk/Source/_javascript_Core/ChangeLog 2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-10-01 04:06:25 UTC (rev 250543)
@@ -1,3 +1,23 @@
+2019-09-30 Tadeu Zagallo <tzaga...@apple.com>
+
+ Make assertion in JSObject::putOwnDataProperty more precise
+ https://bugs.webkit.org/show_bug.cgi?id=202379
+ <rdar://problem/49515980>
+
+ Reviewed by Yusuke Suzuki.
+
+ Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
+ too conservative. All we need to prove is that the property being inserted either does not exist
+ in the target object or is neither an accessor nor read-only.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::putOwnDataProperty): Deleted.
+ (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::validatePutOwnDataProperty):
+ (JSC::JSObject::putOwnDataProperty):
+ (JSC::JSObject::putOwnDataPropertyMayBeIndex):
+
2019-09-30 Yusuke Suzuki <ysuz...@apple.com>
[JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (250542 => 250543)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2019-10-01 04:06:25 UTC (rev 250543)
@@ -727,6 +727,9 @@
// This is used by JSLexicalEnvironment.
bool putOwnDataProperty(VM&, PropertyName, JSValue, PutPropertySlot&);
bool putOwnDataPropertyMayBeIndex(ExecState*, PropertyName, JSValue, PutPropertySlot&);
+private:
+ void validatePutOwnDataProperty(VM&, PropertyName, JSValue);
+public:
// Fast access to known property offsets.
ALWAYS_INLINE JSValue getDirect(PropertyOffset offset) const { return locationForOffset(offset)->get(); }
@@ -1490,30 +1493,6 @@
return jsUndefined();
}
-inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
- ASSERT(value);
- ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
- ASSERT(!structure(vm)->hasGetterSetterProperties());
- ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
-
- return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
-}
-
-inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
- VM& vm = exec->vm();
- ASSERT(value);
- ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
- ASSERT(!structure(vm)->hasGetterSetterProperties());
- ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
-
- if (Optional<uint32_t> index = parseIndex(propertyName))
- return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
-
- return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
-}
-
inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
{
ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (250542 => 250543)
--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2019-10-01 04:06:25 UTC (rev 250543)
@@ -462,5 +462,40 @@
}
}
+inline void JSObject::validatePutOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value)
+{
+#if !ASSERT_DISABLED
+ ASSERT(value);
+ ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
+ unsigned attributes;
+ PropertyOffset offset = structure(vm)->get(vm, propertyName, attributes);
+ if (isValidOffset(offset))
+ ASSERT(!(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly)));
+ else if (TypeInfo::hasStaticPropertyTable(inlineTypeFlags())) {
+ if (auto entry = findPropertyHashEntry(vm, propertyName))
+ ASSERT(!(entry->value->attributes() & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly)));
+ }
+#else
+ UNUSED_PARAM(vm);
+ UNUSED_PARAM(propertyName);
+ UNUSED_PARAM(value);
+#endif
+}
+inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+ validatePutOwnDataProperty(vm, propertyName, value);
+ return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
+}
+
+inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+ VM& vm = exec->vm();
+ validatePutOwnDataProperty(vm, propertyName, value);
+ if (Optional<uint32_t> index = parseIndex(propertyName))
+ return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
+
+ return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
+}
+
} // namespace JSC