198477 – [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect

RESOLVED FIXED198477

[JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect

https://bugs.webkit.org/show_bug.cgi?id=198477

Summary [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype in...

Yusuke Suzuki

Reported 2019-06-03 00:53:26 PDT

...

Attachments
Patch (11.54 KB, patch) 2019-06-03 02:59 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2019-06-03 02:59:42 PDT

Created attachment 371184 [details] Patch

Yusuke Suzuki

Comment 2 2019-06-03 03:00:45 PDT

<rdar://problem/51299504>

Saam Barati

Comment 3 2019-06-03 09:54:00 PDT

Comment on attachment 371184 [details] Patch Why? Won't this lead to use calling getPrototypeOf twice on proxy?

Yusuke Suzuki

Comment 4 2019-06-03 10:06:40 PDT

Comment on attachment 371184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=371184&action=review Otherwise, as the test described (without this patch, it fails), object[10101010] = xxx; bypasses getPrototype (instead using getPrototypeDirect), which means that this [[Put]] access bypasses JSWindow::getPrototype. attemptToInterceptPutByIndexOnHoleForPrototype is not a side-effect free check. If put is intercepted, this function performs [[Put]]. > Source/JavaScriptCore/runtime/JSObject.cpp:2747 > if (current->type() == ProxyObjectType) { > + scope.release(); > ProxyObject* proxy = jsCast<ProxyObject*>(current); > putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow); > return true; For example, Proxy case goes into this path, and we actually performs [[Put]] here.

Yusuke Suzuki

Comment 5 2019-06-03 10:57:48 PDT

Comment on attachment 371184 [details] Patch Thanks

WebKit Commit Bot

Comment 6 2019-06-03 11:27:52 PDT

Comment on attachment 371184 [details] Patch Clearing flags on attachment: 371184 Committed r246040: <https://trac.webkit.org/changeset/246040>

WebKit Commit Bot

Comment 7 2019-06-03 11:27:54 PDT

All reviewed patches have been landed. Closing bug.

Yusuke Suzuki

Comment 8 2019-06-04 15:08:53 PDT

Committed r246084: <https://trac.webkit.org/changeset/246084>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2019-06-03 00:53 PDT

Modified

2019-06-04 15:08 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks