Changeset 246040 in webkit

Timestamp:

Jun 3, 2019 11:27:46 AM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
​https://bugs.webkit.org/show_bug.cgi?id=198477
<rdar://problem/51299504>

Reviewed by Saam Barati.

Source/JavaScriptCore:

JSObject::attemptToInterceptPutByIndexOnHole uses getPrototypeDirect, but it should use getPrototype to
handle getPrototype methods in derived JSObject classes correctly.

• runtime/JSArrayInlines.h:

(JSC::JSArray::pushInline):

• runtime/JSObject.cpp:

(JSC::JSObject::putByIndex):
(JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
(JSC::JSObject::attemptToInterceptPutByIndexOnHole):
(JSC::JSObject::putByIndexBeyondVectorLength):

LayoutTests:

Ensure that JSWindow::getPrototype is used.

• http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt: Added.
• http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html: Added.
• http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt (added)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html (added)
• LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (8 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-06-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
+        https://bugs.webkit.org/show_bug.cgi?id=198477
+        <rdar://problem/51299504>
+
+        Reviewed by Saam Barati.
+
+        Ensure that JSWindow::getPrototype is used.
+
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt: Added.
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-in-put-test.html: Added.
+
 2019-06-03  Devin Rousso  <drousso@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
+        https://bugs.webkit.org/show_bug.cgi?id=198477
+        <rdar://problem/51299504>
+
+        Reviewed by Saam Barati.
+
+        JSObject::attemptToInterceptPutByIndexOnHole uses getPrototypeDirect, but it should use getPrototype to
+        handle getPrototype methods in derived JSObject classes correctly.
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+
 2019-06-03  Don Olmstead  <don.olmstead@sony.com>
 

trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h

@@ -213 +213 @@
         unsigned oldLength = length();
         bool putResult = false;
-        if (attemptToInterceptPutByIndexOnHole(exec, oldLength, value, true, putResult)) {
-            if (!scope.exception() && oldLength < 0xFFFFFFFFu) {
+        bool result = attemptToInterceptPutByIndexOnHole(exec, oldLength, value, true, putResult);
+        RETURN_IF_EXCEPTION(scope, void());
+        if (result) {
+            if (oldLength < 0xFFFFFFFFu) {
                 scope.release();
                 setLength(exec, oldLength + 1, true);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -944 +944 @@
         WriteBarrier<Unknown>& valueSlot = storage->m_vector[propertyName];
         unsigned length = storage->length();
+
+        auto scope = DECLARE_THROW_SCOPE(vm);
         
         // Update length & m_numValuesInVector as necessary.
         if (propertyName >= length) {
             bool putResult = false;
-            if (thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult))
+            bool result = thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult);
+            RETURN_IF_EXCEPTION(scope, false);
+            if (result)
                 return putResult;
             length = propertyName + 1;
@@ -955 +959 @@
         } else if (!valueSlot) {
             bool putResult = false;
-            if (thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult))
+            bool result = thisObject->attemptToInterceptPutByIndexOnHole(exec, propertyName, value, shouldThrow, putResult);
+            RETURN_IF_EXCEPTION(scope, false);
+            if (result)
                 return putResult;
             ++storage->m_numValuesInVector;
@@ -2717 +2723 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     for (JSObject* current = this; ;) {
         // This has the same behavior with respect to prototypes as JSObject::put(). It only
@@ -2727 +2735 @@
             SparseArrayValueMap::iterator iter = storage->m_sparseMap->find(i);
             if (iter != storage->m_sparseMap->notFound() && (iter->value.attributes() & (PropertyAttribute::Accessor | PropertyAttribute::ReadOnly))) {
+                scope.release();
                 putResult = iter->value.put(exec, thisValue, storage->m_sparseMap.get(), value, shouldThrow);
                 return true;
@@ -2733 +2742 @@
 
         if (current->type() == ProxyObjectType) {
+            scope.release();
             ProxyObject* proxy = jsCast<ProxyObject*>(current);
             putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow);
@@ -2738 +2748 @@
         }
         
-        JSValue prototypeValue = current->getPrototypeDirect(vm);
+        JSValue prototypeValue = current->getPrototype(vm, exec);
+        RETURN_IF_EXCEPTION(scope, false);
         if (prototypeValue.isNull())
             return false;
@@ -2748 +2759 @@
 bool JSObject::attemptToInterceptPutByIndexOnHole(ExecState* exec, unsigned i, JSValue value, bool shouldThrow, bool& putResult)
 {
-    JSValue prototypeValue = getPrototypeDirect(exec->vm());
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSValue prototypeValue = getPrototype(vm, exec);
+    RETURN_IF_EXCEPTION(scope, false);
     if (prototypeValue.isNull())
         return false;
     
-    return asObject(prototypeValue)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, this, i, value, shouldThrow, putResult);
+    RELEASE_AND_RETURN(scope, asObject(prototypeValue)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, this, i, value, shouldThrow, putResult));
 }
 
@@ -2938 +2953 @@
     case ArrayWithSlowPutArrayStorage: {
         // No own property present in the vector, but there might be in the sparse map!
+        auto scope = DECLARE_THROW_SCOPE(vm);
         SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get();
         bool putResult = false;
-        if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow, putResult))
-            return putResult;
+        if (!(map && map->contains(i))) {
+            bool result = attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow, putResult);
+            RETURN_IF_EXCEPTION(scope, false);
+            if (result)
+                return putResult;
+        }
+        scope.release();
         FALLTHROUGH;
     }