273978 – [JSC] Private brand can be empty in computed property name

Bug 273978 - [JSC] Private brand can be empty in computed property name

Summary: [JSC] Private brand can be empty in computed property name

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Degazio

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2024-05-09 15:49 PDT by David Degazio
Modified:	2024-05-10 17:14 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Degazio 2024-05-09 15:49:57 PDT

rdar://124072928

It's possible to access private members of a class during its own definition via computed property names, consider:

    class Foo {
        static #private;
        [Foo.#private] = 42;
    }

This code isn't particularly sensible - within an incomplete class definition, neither `this` nor the class itself are defined, so as far as I can tell there is no valid base for a private field access within any computed property name. But, in our implementation, the fact that the private brand is specifically empty/null at this point (we install it in the class lexical environment after the class definition is finished) means we can occasionally run into crashes when comparing it to other cells. Let's add a check for an empty private brand when we check it during a field access, so we can fail gracefully and throw an exception.

Comment 1 David Degazio 2024-05-09 16:18:48 PDT

Pull request: https://github.com/WebKit/WebKit/pull/28370

Comment 2 EWS 2024-05-10 17:14:52 PDT

Committed 278642@main (dab4400141ad): <https://commits.webkit.org/278642@main>

Reviewed commits have been landed. Closing PR #28370 and removing active labels.