Skip to site navigation (Press enter)

[webkit-changes] [250543] trunk

tzagallo Mon, 30 Sep 2019 21:09:30 -0700

Title: [250543] trunk

Revision: 250543
Author: tzaga...@apple.com
Date: 2019-09-30 21:06:25 -0700 (Mon, 30 Sep 2019)

Log Message

Make assertion in JSObject::putOwnDataProperty more precise
https://bugs.webkit.org/show_bug.cgi?id=202379
<rdar://problem/49515980>


Reviewed by Yusuke Suzuki.

JSTests:

* stress/object-assign-target-proto-setter.js: Added.
(get Object):

Source/_javascript_Core:

Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
too conservative. All we need to prove is that the property being inserted either does not exist
in the target object or is neither an accessor nor read-only.

* runtime/JSObject.h:
(JSC::JSObject::putOwnDataProperty): Deleted.
(JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::validatePutOwnDataProperty):
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putOwnDataPropertyMayBeIndex):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.h
trunk/Source/_javascript_Core/runtime/JSObjectInlines.h

Added Paths

trunk/JSTests/stress/object-assign-target-proto-setter.js

Diff

Modified: trunk/JSTests/ChangeLog (250542 => 250543)


--- trunk/JSTests/ChangeLog	2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/JSTests/ChangeLog	2019-10-01 04:06:25 UTC (rev 250543)
@@ -1,3 +1,14 @@
+2019-09-30  Tadeu Zagallo  <tzaga...@apple.com>
+
+        Make assertion in JSObject::putOwnDataProperty more precise
+        https://bugs.webkit.org/show_bug.cgi?id=202379
+        <rdar://problem/49515980>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/object-assign-target-proto-setter.js: Added.
+        (get Object):
+
 2019-09-30  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too

Added: trunk/JSTests/stress/object-assign-target-proto-setter.js (0 => 250543)


--- trunk/JSTests/stress/object-assign-target-proto-setter.js	                        (rev 0)
+++ trunk/JSTests/stress/object-assign-target-proto-setter.js	2019-10-01 04:06:25 UTC (rev 250543)
@@ -0,0 +1,3 @@
+const x = {};
+Object.defineProperty(x, '__proto__', {get: ()=>{}});
+Object.assign(x, { get: ()=> {} });

Modified: trunk/Source/_javascript_Core/ChangeLog (250542 => 250543)


--- trunk/Source/_javascript_Core/ChangeLog	2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-10-01 04:06:25 UTC (rev 250543)
@@ -1,3 +1,23 @@
+2019-09-30  Tadeu Zagallo  <tzaga...@apple.com>
+
+        Make assertion in JSObject::putOwnDataProperty more precise
+        https://bugs.webkit.org/show_bug.cgi?id=202379
+        <rdar://problem/49515980>
+
+        Reviewed by Yusuke Suzuki.
+
+        Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
+        too conservative. All we need to prove is that the property being inserted either does not exist
+        in the target object or is neither an accessor nor read-only.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::putOwnDataProperty): Deleted.
+        (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::validatePutOwnDataProperty):
+        (JSC::JSObject::putOwnDataProperty):
+        (JSC::JSObject::putOwnDataPropertyMayBeIndex):
+
 2019-09-30  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (250542 => 250543)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2019-10-01 04:06:25 UTC (rev 250543)
@@ -727,6 +727,9 @@
     // This is used by JSLexicalEnvironment.
     bool putOwnDataProperty(VM&, PropertyName, JSValue, PutPropertySlot&);
     bool putOwnDataPropertyMayBeIndex(ExecState*, PropertyName, JSValue, PutPropertySlot&);
+private:
+    void validatePutOwnDataProperty(VM&, PropertyName, JSValue);
+public:
 
     // Fast access to known property offsets.
     ALWAYS_INLINE JSValue getDirect(PropertyOffset offset) const { return locationForOffset(offset)->get(); }
@@ -1490,30 +1493,6 @@
     return jsUndefined();
 }
 
-inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
-    ASSERT(value);
-    ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
-    ASSERT(!structure(vm)->hasGetterSetterProperties());
-    ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
-
-    return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
-}
-
-inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
-    VM& vm = exec->vm();
-    ASSERT(value);
-    ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
-    ASSERT(!structure(vm)->hasGetterSetterProperties());
-    ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
-
-    if (Optional<uint32_t> index = parseIndex(propertyName))
-        return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
-
-    return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
-}
-
 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));

Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (250542 => 250543)


--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h	2019-10-01 03:36:01 UTC (rev 250542)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h	2019-10-01 04:06:25 UTC (rev 250543)
@@ -462,5 +462,40 @@
     }
 }
     
+inline void JSObject::validatePutOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value)
+{
+#if !ASSERT_DISABLED
+    ASSERT(value);
+    ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
+    unsigned attributes;
+    PropertyOffset offset = structure(vm)->get(vm, propertyName, attributes);
+    if (isValidOffset(offset))
+        ASSERT(!(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly)));
+    else if (TypeInfo::hasStaticPropertyTable(inlineTypeFlags())) {
+        if (auto entry = findPropertyHashEntry(vm, propertyName))
+            ASSERT(!(entry->value->attributes() & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly)));
+    }
+#else
+    UNUSED_PARAM(vm);
+    UNUSED_PARAM(propertyName);
+    UNUSED_PARAM(value);
+#endif
+}
 
+inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    validatePutOwnDataProperty(vm, propertyName, value);
+    return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
+}
+
+inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    VM& vm = exec->vm();
+    validatePutOwnDataProperty(vm, propertyName, value);
+    if (Optional<uint32_t> index = parseIndex(propertyName))
+        return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
+
+    return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
+}
+
 } // namespace JSC

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes