Changeset 209149 in webkit

Timestamp:

Nov 30, 2016 1:13:42 PM (7 years ago)

Author:

mark.lam@apple.com

Message:

Proxy is not allowed in the global prototype chain.
​https://bugs.webkit.org/show_bug.cgi?id=165205

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

• runtime/ProgramExecutable.cpp:

(JSC::ProgramExecutable::initializeGlobalProperties):

• We'll now throw a TypeError if we detect a Proxy in the global prototype chain.

LayoutTests:

• js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt: Added.
• js/dom/proxy-is-not-allowed-in-global-prototype-chain.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt (added)
• LayoutTests/js/dom/proxy-is-not-allowed-in-global-prototype-chain.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ProgramExecutable.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-11-30  Mark Lam  <mark.lam@apple.com>
+
+        Proxy is not allowed in the global prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=165205
+
+        Reviewed by Geoffrey Garen.
+
+        * js/dom/proxy-is-not-allowed-in-global-prototype-chain-expected.txt: Added.
+        * js/dom/proxy-is-not-allowed-in-global-prototype-chain.html: Added.
+
 2016-11-30  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-30  Mark Lam  <mark.lam@apple.com>
+
+        Proxy is not allowed in the global prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=165205
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
+
 2016-11-30  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/runtime/ProgramExecutable.cpp

@@ -80 +80 @@
     ASSERT(&globalObject->vm() == &vm);
 
+    JSValue nextPrototype = globalObject->getPrototypeDirect();
+    while (nextPrototype && nextPrototype.isObject()) {
+        if (UNLIKELY(asObject(nextPrototype)->type() == ProxyObjectType)) {
+            ExecState* exec = globalObject->globalExec();
+            return createTypeError(exec, ASCIILiteral("Proxy is not allowed in the global prototype chain."));
+        }
+        nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
+    }
+    
     JSObject* exception = nullptr;
     UnlinkedProgramCodeBlock* unlinkedCodeBlock = globalObject->createProgramCodeBlock(callFrame, this, &exception);
@@ -178 +187 @@
         }
     }
-    return 0;
+    return nullptr;
 }