Changeset 207518 in webkit

Timestamp:

Oct 18, 2016 8:52:29 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

Invoking Object.prototype.proto accessors directly should throw a TypeError.
​https://bugs.webkit.org/show_bug.cgi?id=154377
<rdar://problem/27330808>

Reviewed by Filip Pizlo and Saam Barati.

JSTests:

• stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js: Added.

Source/JavaScriptCore:

In a scenario where we cache the proto accessors in global variables, and
later explicitly invoke those accessors as functions, the spec for Function Calls
(see ​https://tc39.github.io/ecma262/#sec-function-calls) states that the function
ref value is of type Reference, and base of ref is an Environment Record. Then,
it follows that the thisValue should be set to refEnv.WithBaseObject()
(see section 4.b.ii of 12.3.4.1 at
​https://tc39.github.io/ecma262/#sec-function-calls-runtime-semantics-evaluation).

refEnv in this case is the environment record that the cached accessors were
found in i.e. the global object. The WithBaseObject() of the global object is
undefined (see details about WithBaseObject at
​https://tc39.github.io/ecma262/#sec-environment-records).

Hence, the proto accessors should see a thisValue of undefined, and throw
TypeErrors. See ​https://tc39.github.io/ecma262/#sec-get-object.prototype.__proto,
​https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto,
​https://tc39.github.io/ecma262/#sec-toobject, and
​https://tc39.github.io/ecma262/#sec-requireobjectcoercible.

In JSC's implementation, the callee needs to do a ToThis operation on the
incoming "this" argument in order to get the specified thisValue. The
implementations of the proto accessors were not doing this correctly. This
has now been fixed.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):

LayoutTests:

• http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
• js/dom/activation-proto-expected.txt:
• js/dom/script-tests/activation-proto.js:
• js/object-literal-shorthand-construction-expected.txt:
• js/script-tests/object-literal-shorthand-construction.js:
• js/script-tests/sloppy-getter-setter-global-object.js:
• js/sloppy-getter-setter-global-object-expected.txt:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js (added)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html (modified) (1 diff)
• LayoutTests/js/dom/activation-proto-expected.txt (modified) (1 diff)
• LayoutTests/js/dom/script-tests/activation-proto.js (modified) (1 diff)
• LayoutTests/js/object-literal-shorthand-construction-expected.txt (modified) (1 diff)
• LayoutTests/js/script-tests/object-literal-shorthand-construction.js (modified) (1 diff)
• LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (modified) (1 diff)
• LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-10-18  Mark Lam  <mark.lam@apple.com>
+
+        Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
+        https://bugs.webkit.org/show_bug.cgi?id=154377
+        <rdar://problem/27330808>
+
+        Reviewed by Filip Pizlo and Saam Barati.
+
+        * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js: Added.
+
 2016-10-18  Keith Miller  <keith_miller@apple.com>
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-10-18  Mark Lam  <mark.lam@apple.com>
+
+        Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
+        https://bugs.webkit.org/show_bug.cgi?id=154377
+        <rdar://problem/27330808>
+
+        Reviewed by Filip Pizlo and Saam Barati.
+
+        * http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
+        * js/dom/activation-proto-expected.txt:
+        * js/dom/script-tests/activation-proto.js:
+        * js/object-literal-shorthand-construction-expected.txt:
+        * js/script-tests/object-literal-shorthand-construction.js:
+        * js/script-tests/sloppy-getter-setter-global-object.js:
+        * js/sloppy-getter-setter-global-object-expected.txt:
+
 2016-10-18  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt

@@ -5 +5 @@
 
 
-PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS __proto__ = targetWindow threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS targetWindow.myinput threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt

@@ -8 +8 @@
 
 
-PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS __proto__ = targetWindow threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS: successfullyParsed should be 'true' and is.
 

trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt

@@ -5 +5 @@
 
 
-PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS __proto__ = targetWindow threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS: location === originalLocation should be 'true' and is.
 PASS: this.location === originalLocation should be 'true' and is.

trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt

@@ -5 +5 @@
 
 
-PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS this.__proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS __proto__ = targetWindow threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS: innerHeight === originalInnerHeight should be 'true' and is.
 PASS: this.innerHeight === originalInnerHeight should be 'true' and is.

trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html

@@ -16 +16 @@
   originalInnerHeight = innerHeight;
 
+  shouldThrowErrorName("this.__proto__ = targetWindow", "TypeError");
   shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
 

trunk/LayoutTests/js/dom/activation-proto-expected.txt

@@ -4 +4 @@
 
 
-PASS (function() { __proto__.testVariable = 'found'; return window.testVariable; })() is 'found'
+PASS (function() { this.__proto__.testVariable = 'found'; return window.testVariable; })() is 'found'
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/dom/script-tests/activation-proto.js

@@ -5 +5 @@
 );
 
-shouldBe("(function() { __proto__.testVariable = 'found'; return window.testVariable; })()", "'found'");
+shouldBe("(function() { this.__proto__.testVariable = 'found'; return window.testVariable; })()", "'found'");

trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt

@@ -62 +62 @@
 PASS !!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set is true
 PASS !!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set is true
-PASS __proto__ = [] threw exception TypeError: Cannot set prototype of this object.
-PASS ({__proto__: __proto__}) instanceof Array is false
+PASS this.__proto__ = [] threw exception TypeError: Cannot set prototype of this object.
+PASS ({__proto__: this.__proto__}) instanceof Array is false
+PASS __proto__ = [] threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
+PASS ({__proto__: __proto__}) instanceof Array threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js

@@ -111 +111 @@
 
 // __proto__ shorthand should not modify the prototype.
-shouldThrow("__proto__ = []");
-shouldBeFalse("({__proto__: __proto__}) instanceof Array");
+shouldThrow("this.__proto__ = []");
+shouldBeFalse("({__proto__: this.__proto__}) instanceof Array");
+shouldThrow("__proto__ = []", '"TypeError: Object.prototype.__proto__ called on null or undefined"');
+shouldThrow("({__proto__: __proto__}) instanceof Array", '"TypeError: Object.prototype.__proto__ called on null or undefined"');

trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js

@@ -26 +26 @@
 shouldNotThrow("Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo'])");
 
-shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()", "\"TypeError: Can't convert undefined or null to object\"");
-shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo'])", "\"TypeError: Can't convert undefined or null to object\"");
+shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()", "\"TypeError: Object.prototype.__proto__ called on null or undefined\"");
+shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo'])", "\"TypeError: Object.prototype.__proto__ called on null or undefined\"");
 
 
 var top_level_sloppy_getter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get;
-shouldNotThrow("top_level_sloppy_getter();");
+shouldThrow("top_level_sloppy_getter();", "\"TypeError: Object.prototype.__proto__ called on null or undefined\"");
 
 var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set;
-shouldThrow("top_level_sloppy_setter(['foo']);");
+shouldThrow("top_level_sloppy_setter(['foo']);", "\"TypeError: Object.prototype.__proto__ called on null or undefined\"");

trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt

@@ -9 +9 @@
 PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get() did not throw exception.
 PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo']) did not throw exception.
-PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Can't convert undefined or null to object.
-PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Can't convert undefined or null to object.
-PASS top_level_sloppy_getter(); did not throw exception.
-PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Cannot set prototype of this object.
+PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
+PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
+PASS top_level_sloppy_getter(); threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
+PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Object.prototype.__proto__ called on null or undefined.
 PASS successfullyParsed is true
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-18  Mark Lam  <mark.lam@apple.com>
+
+        Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
+        https://bugs.webkit.org/show_bug.cgi?id=154377
+        <rdar://problem/27330808>
+
+        Reviewed by Filip Pizlo and Saam Barati.
+
+        In a scenario where we cache the __proto__ accessors in global variables, and
+        later explicitly invoke those accessors as functions, the spec for Function Calls
+        (see https://tc39.github.io/ecma262/#sec-function-calls) states that the function
+        ref value is of type Reference, and base of ref is an Environment Record.  Then,
+        it follows that the thisValue should be set to refEnv.WithBaseObject()
+        (see section 4.b.ii of 12.3.4.1 at
+        https://tc39.github.io/ecma262/#sec-function-calls-runtime-semantics-evaluation).
+
+        refEnv in this case is the environment record that the cached accessors were
+        found in i.e. the global object.  The WithBaseObject() of the global object is
+        undefined (see details about WithBaseObject at
+        https://tc39.github.io/ecma262/#sec-environment-records).
+
+        Hence, the __proto__ accessors should see a thisValue of undefined, and throw
+        TypeErrors.  See https://tc39.github.io/ecma262/#sec-get-object.prototype.__proto__,
+        https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__,
+        https://tc39.github.io/ecma262/#sec-toobject, and
+        https://tc39.github.io/ecma262/#sec-requireobjectcoercible.
+
+        In JSC's implementation, the callee needs to do a ToThis operation on the
+        incoming "this" argument in order to get the specified thisValue.  The
+        implementations of the __proto__ accessors were not doing this correctly.  This
+        has now been fixed.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        (JSC::globalFuncProtoSetter):
+
 2016-10-18  Sam Weinig  <sam@webkit.org>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -53 +53 @@
 
 namespace JSC {
+
+static const char* const ObjectProtoCalledOnNullOrUndefinedError = "Object.prototype.__proto__ called on null or undefined";
 
 template<typename CallbackWhenNoException>
@@ -871 +873 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (exec->thisValue().isUndefinedOrNull())
-        return throwVMTypeError(exec, scope, ASCIILiteral("Can't convert undefined or null to object"));
-
-    JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
-
+    JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
+    if (thisValue.isUndefinedOrNull())
+        return throwVMTypeError(exec, scope, ASCIILiteral(ObjectProtoCalledOnNullOrUndefinedError));
+
+    JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue);
     if (!thisObject) {
         JSObject* prototype = exec->thisValue().synthesizePrototype(exec);
@@ -891 +893 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (exec->thisValue().isUndefinedOrNull())
-        return throwVMTypeError(exec, scope, ASCIILiteral("Can't convert undefined or null to object"));
+    JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
+    if (thisValue.isUndefinedOrNull())
+        return throwVMTypeError(exec, scope, ASCIILiteral(ObjectProtoCalledOnNullOrUndefinedError));
 
     JSValue value = exec->argument(0);
 
-    JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
+    JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue);
 
     // Setting __proto__ of a primitive should have no effect.