Bug 52672

Summary: [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, jruderman, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 13638    
Attachments:
Description Flags
Patch barraclough: review+

Oliver Hunt
Reported 2011-01-18 15:08:15 PST
tryItOut("\"use strict\";h();/**/function h(){(0)}(3);function __proto__(){/j/}\"\"") Adding function labelled __proto__ triggers a changed prototype transition, which converts the structure into a non-dictionary type, leading to badness. I'm inclined to simply disallow __proto__ as a variable or function declaration inside eval code.
Attachments
Patch (4.05 KB, patch)
2011-01-19 11:54 PST, Oliver Hunt
barraclough: review+
Gavin Barraclough
Comment 1 2011-01-18 18:11:43 PST
We should pop up an alert scolding anyone for running code that redefines __proto__. I'd support disallowing __proto__as a variable or function name in eval code, but it could seem a little arbitrary. Personally I'd go so far as to disallow it everywhere.
Oliver Hunt
Comment 2 2011-01-19 11:54:57 PST
Oliver Hunt
Comment 3 2011-01-19 12:19:27 PST
Note You need to log in before you can comment on or make changes to this bug.