Bug 52672 - [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
Summary: [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an a...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Oliver Hunt
Depends on:
Blocks: 13638
  Show dependency treegraph
Reported: 2011-01-18 15:08 PST by Oliver Hunt
Modified: 2011-01-19 12:19 PST (History)
4 users (show)

See Also:

Patch (4.05 KB, patch)
2011-01-19 11:54 PST, Oliver Hunt
barraclough: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2011-01-18 15:08:15 PST
tryItOut("\"use strict\";h();/**/function h(){(0)}(3);function __proto__(){/j/}\"\"")

Adding function labelled __proto__ triggers a changed prototype transition, which converts the structure into a non-dictionary type, leading to badness.

I'm inclined to simply disallow __proto__ as a variable or function declaration inside eval code.
Comment 1 Gavin Barraclough 2011-01-18 18:11:43 PST
We should pop up an alert scolding anyone for running code that redefines __proto__.

I'd support disallowing __proto__as a variable or function name in eval code, but it could seem a little arbitrary.  Personally I'd go so far as to disallow it everywhere.
Comment 2 Oliver Hunt 2011-01-19 11:54:57 PST
Created attachment 79458 [details]
Comment 3 Oliver Hunt 2011-01-19 12:19:27 PST
Committed r76148: <http://trac.webkit.org/changeset/76148>