Changeset 292950 in webkit

Timestamp:

Apr 17, 2022, 2:52:53 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Harden JSObject::setPrototypeOf.
​https://bugs.webkit.org/show_bug.cgi?id=239440

Reviewed by Yusuke Suzuki.

• runtime/JSObject.cpp:

(JSC::JSObject::setPrototypeDirect):
(JSC::JSObject::setPrototypeWithCycleCheck):

• runtime/JSObject.h:
• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorSetPrototypeOf):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/JSObject.cpp (modified) (4 diffs)
• runtime/JSObject.h (modified) (2 diffs)
• runtime/ObjectConstructor.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-04-16  Mark Lam  <mark.lam@apple.com>
+
+        Harden JSObject::setPrototypeOf.
+        https://bugs.webkit.org/show_bug.cgi?id=239440
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeDirect):
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        * runtime/JSObject.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSetPrototypeOf):
+
 2022-04-16  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel (eric@webkit.org)
  *
@@ -65 +65 @@
 const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError { "Attempting to change enumerable attribute of unconfigurable property."_s };
 const ASCIILiteral UnconfigurablePropertyChangeWritabilityError { "Attempting to change writable attribute of unconfigurable property."_s };
+const ASCIILiteral PrototypeValueCanOnlyBeAnObjectOrNullTypeError { "Prototype value can only be an object or null"_s };
 
 const ClassInfo JSObject::s_info = { "Object"_s, nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(JSObject) };
@@ -1874 +1875 @@
 void JSObject::setPrototypeDirect(VM& vm, JSValue prototype)
 {
-    ASSERT(prototype);
+    ASSERT(prototype.isObject() || prototype.isNull());
     if (prototype.isObject())
         asObject(prototype)->didBecomePrototype();
+    else if (UNLIKELY(!prototype.isNull())) // Conservative hardening.
+        return;
     
     if (structure()->hasMonoProto()) {
@@ -1926 +1929 @@
     if (!isExtensible)
         return typeError(globalObject, scope, shouldThrowIfCantSet, ReadonlyPropertyWriteError);
+
+    // Some clients would have already done this check because of the order of the check
+    // specified in their respective specifications. However, we still do this check here
+    // to document and enforce this invariant about the nature of prototype.
+    if (UNLIKELY(!prototype.isObject() && !prototype.isNull()))
+        return typeError(globalObject, scope, shouldThrowIfCantSet, PrototypeValueCanOnlyBeAnObjectOrNullTypeError);
 
     JSValue nextPrototype = prototype;

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -84 +84 @@
 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError;
 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeWritabilityError;
+extern JS_EXPORT_PRIVATE const ASCIILiteral PrototypeValueCanOnlyBeAnObjectOrNullTypeError;
 
 class JSFinalObject;

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2008-2021 Apple Inc. All rights reserved.
+ *  Copyright (C) 2008-2022 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -161 +161 @@
     JSValue protoValue = callFrame->argument(1);
     if (!protoValue.isObject() && !protoValue.isNull())
-        return throwVMTypeError(globalObject, scope, "Prototype value can only be an object or null"_s);
+        return throwVMTypeError(globalObject, scope, PrototypeValueCanOnlyBeAnObjectOrNullTypeError);
 
     JSObject* object = objectValue.toObject(globalObject);