Bug 200386

Summary: JSObject::putInlineSlow should not ignore "__proto__" for Proxy
Product: WebKit Reporter: jundong.xjd
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, ews-feeder, ews-watchlist, fpizlo, hexiaoyu, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari 12   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch
ysuzuki: review+
patch for landing none

jundong.xjd
Reported 2019-08-02 02:16:25 PDT
poc.js ``` let map = new Map(); function v5() { function v10() { function v11() { const v12 = v5(); return null; } const handler = { getPrototypeOf:v11 }; const p = new Proxy(map,handler); map.__proto__ = p; const v16 = v10(); } try { const v17 = v10(); } catch(e) { //print(e); } } const v19 = v5(); ``` execution result: ASSERTION FAILED: baseValue.asCell()->structure(vm) == structure ../../Source/JavaScriptCore/jit/Repatch.cpp(468) : JSC::InlineCacheAction JSC::tryCachePutByID(JSC::ExecState *, JSC::JSValue, JSC::Structure *, const JSC::Identifier &, const JSC::PutPropertySlot &, JSC::StructureStubInfo &, JSC::PutKind) [1] 17017 abort (core dumped) /media/hdd/WebKit-git/webkit_build_825bbd0_20190704/Debug/bin/jsc
Attachments
patch (4.59 KB, patch)
2019-09-12 18:20 PDT, Saam Barati 		ysuzuki: review+
DetailsFormatted DiffDiff
patch for landing (5.11 KB, patch)
2019-09-12 18:33 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-08-02 02:16:46 PDT
<rdar://problem/53854946>
Saam Barati
Comment 2 2019-09-12 17:20:48 PDT
patch forthcoming
Saam Barati
Comment 3 2019-09-12 18:20:21 PDT
Created attachment 378698 [details] patch
Yusuke Suzuki
Comment 4 2019-09-12 18:24:29 PDT
Comment on attachment 378698 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=378698&action=review r=me > Source/JavaScriptCore/runtime/JSObject.cpp:841 > + if (obj->type() == ProxyObjectType) { Can you fix ordinarySetSlow too?
Saam Barati
Comment 5 2019-09-12 18:31:20 PDT
(In reply to Yusuke Suzuki from comment #4) > Comment on attachment 378698 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=378698&action=review > > r=me > > > Source/JavaScriptCore/runtime/JSObject.cpp:841 > > + if (obj->type() == ProxyObjectType) { > > Can you fix ordinarySetSlow too? Good call. Fixed and added a test
Saam Barati
Comment 6 2019-09-12 18:33:31 PDT
Created attachment 378700 [details] patch for landing
EWS Watchlist
Comment 7 2019-09-12 20:49:49 PDT
Comment on attachment 378700 [details] patch for landing Attachment 378700 [details] did not pass jsc-ews (mac): Output: https://webkit-queues.webkit.org/results/13027855 New failing tests: mozilla-tests.yaml/js1_5/Array/regress-101964.js.mozilla-ftl-eager-no-cjit-validate-phases
Saam Barati
Comment 8 2019-09-16 11:48:59 PDT
The test is flaky. It's not this patch
WebKit Commit Bot
Comment 9 2019-09-16 12:32:46 PDT
Comment on attachment 378700 [details] patch for landing Clearing flags on attachment: 378700 Committed r249911: <https://trac.webkit.org/changeset/249911>
WebKit Commit Bot
Comment 10 2019-09-16 12:32:48 PDT
All reviewed patches have been landed. Closing bug.
Yusuke Suzuki
Comment 11 2019-10-21 10:09:01 PDT
*** Bug 202342 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 12 2020-05-05 17:06:12 PDT
*** Bug 202624 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.