Bug 198477 - [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
Summary: [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype in...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-06-03 00:53 PDT by Yusuke Suzuki
Modified: 2019-06-04 15:08 PDT (History)
7 users (show)

See Also:

Attachments
Patch (11.54 KB, patch)
2019-06-03 02:59 PDT, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2019-06-03 00:53:26 PDT 
...
Comment 1 Yusuke Suzuki 2019-06-03 02:59:42 PDT 
Created attachment 371184 [details]
Patch
Comment 2 Yusuke Suzuki 2019-06-03 03:00:45 PDT 
<rdar://problem/51299504>
Comment 3 Saam Barati 2019-06-03 09:54:00 PDT 
Comment on attachment 371184 [details]
Patch

Why? Won't this lead to use calling getPrototypeOf twice on proxy?
Comment 4 Yusuke Suzuki 2019-06-03 10:06:40 PDT 
Comment on attachment 371184 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371184&action=review

Otherwise, as the test described (without this patch, it fails), object[10101010] = xxx; bypasses getPrototype (instead using getPrototypeDirect), which means that this [[Put]] access bypasses JSWindow::getPrototype.

attemptToInterceptPutByIndexOnHoleForPrototype is not a side-effect free check. If put is intercepted, this function performs [[Put]].

> Source/JavaScriptCore/runtime/JSObject.cpp:2747
>          if (current->type() == ProxyObjectType) {
> +            scope.release();
>              ProxyObject* proxy = jsCast<ProxyObject*>(current);
>              putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow);
>              return true;

For example, Proxy case goes into this path, and we actually performs [[Put]] here.
Comment 5 Yusuke Suzuki 2019-06-03 10:57:48 PDT 
Comment on attachment 371184 [details]
Patch

Thanks
Comment 6 WebKit Commit Bot 2019-06-03 11:27:52 PDT 
Comment on attachment 371184 [details]
Patch

Clearing flags on attachment: 371184

Committed r246040: <https://trac.webkit.org/changeset/246040>
Comment 7 WebKit Commit Bot 2019-06-03 11:27:54 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Yusuke Suzuki 2019-06-04 15:08:53 PDT 
Committed r246084: <https://trac.webkit.org/changeset/246084>