RESOLVED FIXED 52672
[jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion 
https://bugs.webkit.org/show_bug.cgi?id=52672
Summary [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an a...
Oliver Hunt
Reported 2011-01-18 15:08:15 PST
tryItOut("\"use strict\";h();/**/function h(){(0)}(3);function __proto__(){/j/}\"\"") Adding function labelled __proto__ triggers a changed prototype transition, which converts the structure into a non-dictionary type, leading to badness. I'm inclined to simply disallow __proto__ as a variable or function declaration inside eval code.
Attachments
Patch (4.05 KB, patch)
2011-01-19 11:54 PST, Oliver Hunt 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2011-01-18 18:11:43 PST
We should pop up an alert scolding anyone for running code that redefines __proto__. I'd support disallowing __proto__as a variable or function name in eval code, but it could seem a little arbitrary. Personally I'd go so far as to disallow it everywhere.
Oliver Hunt
Comment 2 2011-01-19 11:54:57 PST
Created attachment 79458 [details] Patch
Oliver Hunt
Comment 3 2011-01-19 12:19:27 PST
Committed r76148: <http://trac.webkit.org/changeset/76148>
Note You need to log in before you can comment on or make changes to this bug.