Changeset 87826 in webkit

Timestamp:

Jun 1, 2011 11:08:07 AM (13 years ago)

Author:

oliver@apple.com

Message:

2011-05-31 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Freezing a function and its prototype causes browser to crash.
​https://bugs.webkit.org/show_bug.cgi?id=61758

Add test to ensure correct behaviour

• fast/js/preventExtensions-expected.txt:
• fast/js/script-tests/preventExtensions.js: (f):

2011-05-31 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Freezing a function and its prototype causes browser to crash.
​https://bugs.webkit.org/show_bug.cgi?id=61758

Make JSObject::preventExtensions virtual so that we can override it
and instantiate all lazy

• JavaScriptCore.exp:
• runtime/JSFunction.cpp: (JSC::createPrototypeProperty): (JSC::JSFunction::preventExtensions): (JSC::JSFunction::getOwnPropertySlot):
• runtime/JSFunction.h:
• runtime/JSObject.h:
• runtime/JSObject.cpp: (JSC::JSObject::seal): (JSC::JSObject::seal):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/preventExtensions-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/script-tests/preventExtensions.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.exp (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-05-31  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Freezing a function and its prototype causes browser to crash.
+        https://bugs.webkit.org/show_bug.cgi?id=61758
+
+        Add test to ensure correct behaviour
+
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/script-tests/preventExtensions.js:
+        (f):
+
 2011-05-19  Adrienne Walker  <enne@google.com>
 

trunk/LayoutTests/fast/js/preventExtensions-expected.txt

@@ -4 +4 @@
 
 
+PASS (new inextensible).prototypeExists is true
+PASS (new sealed).prototypeExists is true
+PASS (new frozen).prototypeExists is true
 PASS test(obj()) is "(b:4)(c:3)E"
 PASS test(preventExtensions(obj())) is "(b:4)"

trunk/LayoutTests/fast/js/script-tests/preventExtensions.js

@@ -44 +44 @@
 }
 
+function inextensible(){}
+function sealed(){}
+function frozen(){};
+preventExtensions(inextensible);
+seal(sealed);
+freeze(frozen);
+new inextensible;
+new sealed;
+new frozen;
+inextensible.prototype.prototypeExists = true;
+sealed.prototype.prototypeExists = true;
+frozen.prototype.prototypeExists = true;
+
+shouldBeTrue("(new inextensible).prototypeExists");
+shouldBeTrue("(new sealed).prototypeExists");
+shouldBeTrue("(new frozen).prototypeExists");
+
 shouldBe('test(obj())', '"(b:4)(c:3)E"'); // extensible, can delete a, can modify b, and can add c
 shouldBe('test(preventExtensions(obj()))', '"(b:4)"'); // <nothing>, can delete a, can modify b, and CANNOT add c

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-05-31  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Freezing a function and its prototype causes browser to crash.
+        https://bugs.webkit.org/show_bug.cgi?id=61758
+
+        Make JSObject::preventExtensions virtual so that we can override it
+        and instantiate all lazy
+
+        * JavaScriptCore.exp:
+        * runtime/JSFunction.cpp:
+        (JSC::createPrototypeProperty):
+        (JSC::JSFunction::preventExtensions):
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSFunction.h:
+        * runtime/JSObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::seal):
+        (JSC::JSObject::seal):
+
 2011-06-01  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.exp

@@ -299 +299 @@
 __ZN3JSC8JSObject16getPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
 __ZN3JSC8JSObject17defineOwnPropertyEPNS_9ExecStateERKNS_10IdentifierERNS_18PropertyDescriptorEb
+__ZN3JSC8JSObject17preventExtensionsERNS_12JSGlobalDataE
 __ZN3JSC8JSObject17putDirectFunctionEPNS_9ExecStateEPNS_10JSFunctionEj
 __ZN3JSC8JSObject17putDirectFunctionEPNS_9ExecStateEPNS_16InternalFunctionEj

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -256 +256 @@
     ?objectProtoFuncToString@JSC@@YI_JPAVExecState@1@@Z
     ?parseDateFromNullTerminatedCharacters@WTF@@YANPBD@Z
+    ?preventExtensions@JSObject@JSC@@UAEXAAVJSGlobalData@2@@Z
     ?profiler@Profiler@JSC@@SAPAV12@XZ
     ?protect@Heap@JSC@@QAEXVJSValue@2@@Z

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -178 +178 @@
 }
 
+static inline WriteBarrierBase<Unknown>* createPrototypeProperty(JSGlobalData& globalData, JSGlobalObject* globalObject, JSFunction* function)
+{
+    ExecState* exec = globalObject->globalExec();
+    if (WriteBarrierBase<Unknown>* location = function->getDirectLocation(globalData, exec->propertyNames().prototype))
+        return location;
+    JSObject* prototype = constructEmptyObject(exec, globalObject->emptyObjectStructure());
+    prototype->putDirect(globalData, exec->propertyNames().constructor, function, DontEnum);
+    function->putDirect(globalData, exec->propertyNames().prototype, prototype, DontDelete | DontEnum);
+    return function->getDirectLocation(exec->globalData(), exec->propertyNames().prototype);
+}
+
+void JSFunction::preventExtensions(JSGlobalData& globalData)
+{
+    createPrototypeProperty(globalData, scope()->globalObject.get(), this);
+    JSObject::preventExtensions(globalData);
+}
+
 bool JSFunction::getOwnPropertySlot(ExecState* exec, const Identifier& propertyName, PropertySlot& slot)
 {
@@ -186 +203 @@
         WriteBarrierBase<Unknown>* location = getDirectLocation(exec->globalData(), propertyName);
 
-        if (!location) {
-            JSObject* prototype = constructEmptyObject(exec, scope()->globalObject->emptyObjectStructure());
-            prototype->putDirect(exec->globalData(), exec->propertyNames().constructor, this, DontEnum);
-            putDirect(exec->globalData(), exec->propertyNames().prototype, prototype, DontDelete | DontEnum);
-            location = getDirectLocation(exec->globalData(), propertyName);
-        }
+        if (!location)
+            location = createPrototypeProperty(exec->globalData(), scope()->globalObject.get(), this);
 
         slot.setValue(this, location->get(), offsetForLocation(location));

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -92 +92 @@
         bool isHostFunctionNonInline() const;
 
+        virtual void preventExtensions(JSGlobalData&);
         virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);
         virtual bool getOwnPropertyDescriptor(ExecState*, const Identifier&, PropertyDescriptor&);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -510 +510 @@
 void JSObject::seal(JSGlobalData& globalData)
 {
+    if (isSealed(globalData))
+        return;
+    preventExtensions(globalData);
     setStructure(globalData, Structure::sealTransition(globalData, m_structure.get()));
 }
@@ -515 +518 @@
 void JSObject::freeze(JSGlobalData& globalData)
 {
+    if (isFrozen(globalData))
+        return;
+    preventExtensions(globalData);
     setStructure(globalData, Structure::freezeTransition(globalData, m_structure.get()));
 }

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -212 +212 @@
         void seal(JSGlobalData&);
         void freeze(JSGlobalData&);
-        void preventExtensions(JSGlobalData&);
+        virtual void preventExtensions(JSGlobalData&);
         bool isSealed(JSGlobalData& globalData) { return m_structure->isSealed(globalData); }
         bool isFrozen(JSGlobalData& globalData) { return m_structure->isFrozen(globalData); }