Bug 198477 - [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
Summary: [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype in...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
Keywords: InRadar
Depends on:
Reported: 2019-06-03 00:53 PDT by Yusuke Suzuki
Modified: 2019-06-04 15:08 PDT (History)
7 users (show)

See Also:

Patch (11.54 KB, patch)
2019-06-03 02:59 PDT, Yusuke Suzuki
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2019-06-03 00:53:26 PDT
Comment 1 Yusuke Suzuki 2019-06-03 02:59:42 PDT
Created attachment 371184 [details]
Comment 2 Yusuke Suzuki 2019-06-03 03:00:45 PDT
Comment 3 Saam Barati 2019-06-03 09:54:00 PDT
Comment on attachment 371184 [details]

Why? Won't this lead to use calling getPrototypeOf twice on proxy?
Comment 4 Yusuke Suzuki 2019-06-03 10:06:40 PDT
Comment on attachment 371184 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=371184&action=review

Otherwise, as the test described (without this patch, it fails), object[10101010] = xxx; bypasses getPrototype (instead using getPrototypeDirect), which means that this [[Put]] access bypasses JSWindow::getPrototype.

attemptToInterceptPutByIndexOnHoleForPrototype is not a side-effect free check. If put is intercepted, this function performs [[Put]].

> Source/JavaScriptCore/runtime/JSObject.cpp:2747
>          if (current->type() == ProxyObjectType) {
> +            scope.release();
>              ProxyObject* proxy = jsCast<ProxyObject*>(current);
>              putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow);
>              return true;

For example, Proxy case goes into this path, and we actually performs [[Put]] here.
Comment 5 Yusuke Suzuki 2019-06-03 10:57:48 PDT
Comment on attachment 371184 [details]

Comment 6 WebKit Commit Bot 2019-06-03 11:27:52 PDT
Comment on attachment 371184 [details]

Clearing flags on attachment: 371184

Committed r246040: <https://trac.webkit.org/changeset/246040>
Comment 7 WebKit Commit Bot 2019-06-03 11:27:54 PDT
All reviewed patches have been landed.  Closing bug.
Comment 8 Yusuke Suzuki 2019-06-04 15:08:53 PDT
Committed r246084: <https://trac.webkit.org/changeset/246084>