Bug 239440

Summary: Harden setPrototypeOf().
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch for landing. none

Mark Lam
Reported 2022-04-17 14:42:53 PDT
<rdar://problem/91761043>
Attachments
patch for landing. (5.43 KB, patch)
2022-04-17 14:51 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2022-04-17 14:51:16 PDT
Created attachment 457778 [details] patch for landing.
Mark Lam
Comment 2 2022-04-17 14:54:02 PDT
Landed in r292950: <http://trac.webkit.org/r292950>.
Saam Barati
Comment 3 2022-04-18 10:15:30 PDT
Comment on attachment 457778 [details] patch for landing. View in context: https://bugs.webkit.org/attachment.cgi?id=457778&action=review > Source/JavaScriptCore/runtime/JSObject.cpp:1881 > + else if (UNLIKELY(!prototype.isNull())) // Conservative hardening. > + return; should the above just be a release assert and we can remove this?
Note You need to log in before you can comment on or make changes to this bug.