Bug 200386

Summary:

JSObject::putInlineSlow should not ignore "__proto__" for Proxy

Product:

WebKit

Reporter:

jundong.xjd

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, ews-feeder, ews-watchlist, fpizlo, hexiaoyu, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

Safari 12

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	ysuzuki: review+
patch for landing	none

Description jundong.xjd 2019-08-02 02:16:25 PDT

poc.js
```
let map = new Map();
function v5() {
    function v10() {
        function v11() {
            const v12 = v5();
            return null;
        }
        const handler = { getPrototypeOf:v11 };
        const p = new Proxy(map,handler);
        map.__proto__ = p;
        const v16 = v10();
    }
    try {
        const v17 = v10();
    } catch(e) {
        //print(e);
    }
}
const v19 = v5();
```

execution result:
ASSERTION FAILED: baseValue.asCell()->structure(vm) == structure
../../Source/JavaScriptCore/jit/Repatch.cpp(468) : JSC::InlineCacheAction JSC::tryCachePutByID(JSC::ExecState *, JSC::JSValue, JSC::Structure *, const JSC::Identifier &, const JSC::PutPropertySlot &, JSC::StructureStubInfo &, JSC::PutKind)
[1]    17017 abort (core dumped)  /media/hdd/WebKit-git/webkit_build_825bbd0_20190704/Debug/bin/jsc

Comment 1 Radar WebKit Bug Importer 2019-08-02 02:16:46 PDT

<rdar://problem/53854946>

Comment 2 Saam Barati 2019-09-12 17:20:48 PDT

patch forthcoming

Comment 3 Saam Barati 2019-09-12 18:20:21 PDT

Created attachment 378698 [details]
patch

Comment 4 Yusuke Suzuki 2019-09-12 18:24:29 PDT

Comment on attachment 378698 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=378698&action=review

r=me

> Source/JavaScriptCore/runtime/JSObject.cpp:841
> +        if (obj->type() == ProxyObjectType) {

Can you fix ordinarySetSlow too?

Comment 5 Saam Barati 2019-09-12 18:31:20 PDT

(In reply to Yusuke Suzuki from comment #4)
> Comment on attachment 378698 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=378698&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/runtime/JSObject.cpp:841
> > +        if (obj->type() == ProxyObjectType) {
> 
> Can you fix ordinarySetSlow too?

Good call. Fixed and added a test

Comment 6 Saam Barati 2019-09-12 18:33:31 PDT

Created attachment 378700 [details]
patch for landing

Comment 7 EWS Watchlist 2019-09-12 20:49:49 PDT

Comment on attachment 378700 [details]
patch for landing

Attachment 378700 [details] did not pass jsc-ews (mac):
Output: https://webkit-queues.webkit.org/results/13027855

New failing tests:
mozilla-tests.yaml/js1_5/Array/regress-101964.js.mozilla-ftl-eager-no-cjit-validate-phases

Comment 8 Saam Barati 2019-09-16 11:48:59 PDT

The test is flaky. It's not this patch

Comment 9 WebKit Commit Bot 2019-09-16 12:32:46 PDT

Comment on attachment 378700 [details]
patch for landing

Clearing flags on attachment: 378700

Committed r249911: <https://trac.webkit.org/changeset/249911>

Comment 10 WebKit Commit Bot 2019-09-16 12:32:48 PDT

All reviewed patches have been landed.  Closing bug.

Comment 11 Yusuke Suzuki 2019-10-21 10:09:01 PDT

*** Bug 202342 has been marked as a duplicate of this bug. ***

Comment 12 Yusuke Suzuki 2020-05-05 17:06:12 PDT

*** Bug 202624 has been marked as a duplicate of this bug. ***