52672 – [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion

Bug 52672 - [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion

Summary: [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an a...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Oliver Hunt

URL:
Keywords:

Depends on:
Blocks:	13638
	Show dependency tree / graph

Reported:	2011-01-18 15:08 PST by Oliver Hunt
Modified:	2011-01-19 12:19 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (4.05 KB, patch) 2011-01-19 11:54 PST, Oliver Hunt	barraclough: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Hunt 2011-01-18 15:08:15 PST

tryItOut("\"use strict\";h();/**/function h(){(0)}(3);function __proto__(){/j/}\"\"")

Adding function labelled __proto__ triggers a changed prototype transition, which converts the structure into a non-dictionary type, leading to badness.

I'm inclined to simply disallow __proto__ as a variable or function declaration inside eval code.

Comment 1 Gavin Barraclough 2011-01-18 18:11:43 PST

We should pop up an alert scolding anyone for running code that redefines __proto__.

I'd support disallowing __proto__as a variable or function name in eval code, but it could seem a little arbitrary.  Personally I'd go so far as to disallow it everywhere.

Comment 2 Oliver Hunt 2011-01-19 11:54:57 PST

Created attachment 79458 [details]
Patch

Comment 3 Oliver Hunt 2011-01-19 12:19:27 PST

Committed r76148: <http://trac.webkit.org/changeset/76148>