Bug 39360

Summary: JSObjectSetPrototype doesn't check for cycle in prototype chain.
Product: WebKit Reporter: Jędrzej Nowacki <jedrzej.nowacki>
Component: JavaScriptCoreAssignee: Jędrzej Nowacki <jedrzej.nowacki>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 39356    
Attachments:
Description Flags
Fix v1 none

Jędrzej Nowacki
Reported 2010-05-19 07:53:33 PDT
JSObjectSetPrototype permits to set any object as prototype of any object. Lack of check if an object being added to a property chain is actually in it, could produce crashes and hangs. A small snippet: JSObjectRef object = JSObjectMake(context, /* jsClass */ 0, /* data */ 0); JSObjectSetPrototype(context, object, object); JSObjectGetProperty(context, object, invalid_property_name, /* exception*/ 0); The code should hang. I suppose to see same behavior: > a = new Object [object Object] > a.__proto__=a Exception: Error: cyclic __proto__ value > The patch is on the way...
Attachments
Fix v1 (7.02 KB, patch)
2010-05-28 07:29 PDT, Jędrzej Nowacki 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jędrzej Nowacki
Comment 1 2010-05-28 07:29:00 PDT
Created attachment 57329 [details] Fix v1
Geoffrey Garen
Comment 2 2010-05-28 10:06:02 PDT
Comment on attachment 57329 [details] Fix v1 r=me Nice.
WebKit Commit Bot
Comment 3 2010-05-28 23:16:35 PDT
Comment on attachment 57329 [details] Fix v1 Clearing flags on attachment: 57329 Committed r60390: <http://trac.webkit.org/changeset/60390>
WebKit Commit Bot
Comment 4 2010-05-28 23:16:41 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.