RESOLVED FIXED 151501
JSC Builtins should use safe array methods 
https://bugs.webkit.org/show_bug.cgi?id=151501
Summary JSC Builtins should use safe array methods
youenn fablet
Reported 2015-11-20 10:34:50 PST
Currently builtins are using push and shift directly, which can be modified by user scripts.
Attachments
Patch (7.92 KB, patch)
2015-11-20 10:49 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Adding tests (14.07 KB, patch)
2015-12-01 06:20 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Improving test (14.41 KB, patch)
2015-12-03 00:38 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2015-11-20 10:49:26 PST
Created attachment 265971 [details] Patch
youenn fablet
Comment 2 2015-12-01 06:20:19 PST
Created attachment 266355 [details] Adding tests
Xabier Rodríguez Calvar
Comment 3 2015-12-01 07:34:53 PST
Comment on attachment 266355 [details] Adding tests View in context: https://bugs.webkit.org/attachment.cgi?id=266355&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:100 > - JSC_NATIVE_INTRINSIC_FUNCTION("push", arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic); > + JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames->builtinNames().pushPublicName(), arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic); > + JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames->builtinNames().pushPrivateName(), arrayProtoFuncPush, DontEnum | DontDelete | ReadOnly, 1, ArrayPushIntrinsic); This makes me think even harder that we need to find a proper solution for this, as adding internal slots with the original function seems like a workaround and I am almost sure we are forgetting to fix something. > LayoutTests/streams/streams-promises.html:160 > + const ArrayPushBackup = Array.prototype.push; > + const ArrayShiftBackup = Array.prototype.shift; > + > + function cleanTest() { > + Array.prototype.push = ArrayPushBackup; > + Array.prototype.shift = ArrayShiftBackup; > + } I guess at some point it would be interesting to implement a setup and tear down for the tests.
Geoffrey Garen
Comment 4 2015-12-01 13:01:53 PST
Comment on attachment 266355 [details] Adding tests View in context: https://bugs.webkit.org/attachment.cgi?id=266355&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:103 > + JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPublicName(), arrayProtoFuncShift, DontEnum, 0); > + JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPrivateName(), arrayProtoFuncShift, DontEnum | DontDelete | ReadOnly, 0); Wrong function here.
youenn fablet
Comment 5 2015-12-02 13:14:36 PST
Comment on attachment 266355 [details] Adding tests View in context: https://bugs.webkit.org/attachment.cgi?id=266355&action=review >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:100 >> + JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames->builtinNames().pushPrivateName(), arrayProtoFuncPush, DontEnum | DontDelete | ReadOnly, 1, ArrayPushIntrinsic); > > This makes me think even harder that we need to find a proper solution for this, as adding internal slots with the original function seems like a workaround and I am almost sure we are forgetting to fix something. The latter is indeed worrying. >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:103 >> + JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPrivateName(), arrayProtoFuncShift, DontEnum | DontDelete | ReadOnly, 0); > > Wrong function here. Can you be more explicit about what is wrong here?
Geoffrey Garen
Comment 6 2015-12-02 13:55:16 PST
Comment on attachment 266355 [details] Adding tests View in context: https://bugs.webkit.org/attachment.cgi?id=266355&action=review >>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:103 >>> + JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPrivateName(), arrayProtoFuncShift, DontEnum | DontDelete | ReadOnly, 0); >> >> Wrong function here. > > Can you be more explicit about what is wrong here? Oops. I take it back.
youenn fablet
Comment 7 2015-12-03 00:38:01 PST
Created attachment 266516 [details] Improving test
youenn fablet
Comment 8 2015-12-03 00:41:56 PST
> > LayoutTests/streams/streams-promises.html:160 > > + const ArrayPushBackup = Array.prototype.push; > > + const ArrayShiftBackup = Array.prototype.shift; > > + > > + function cleanTest() { > > + Array.prototype.push = ArrayPushBackup; > > + Array.prototype.shift = ArrayShiftBackup; > > + } > > I guess at some point it would be interesting to implement a setup and tear > down for the tests. Right. I improved a bit the test as modifying Array.prototype.push is making testharness.js unhappy when cleanTest is not called or not called early enough. Current version will mark test as failing if an assertion does not pass, which is better than timing out.
WebKit Commit Bot
Comment 9 2015-12-10 02:51:07 PST
Comment on attachment 266516 [details] Improving test Clearing flags on attachment: 266516 Committed r193899: <http://trac.webkit.org/changeset/193899>
WebKit Commit Bot
Comment 10 2015-12-10 02:51:11 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.