Open Bug 1110083 Opened 10 years ago Updated 2 years ago

Review existing getProto call sites for safety

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: anba, Unassigned)

References

Details

Attachments

(2 files)

proto
2.94 KB, patch
Details | Diff | Splinter Review
tests
2.15 KB, patch
Details | Diff | Splinter Review
Somewhat similar to bug 914830, therefore I've cc'ed everyone from that bug. Circular prototype chains are going to be possible in ES6. Apparently [1] was closed by removing the finite prototype chain length requirement from [[GetPrototypeOf]] in "6.1.7.3 Invariants of the Essential Internal Methods" [2]. And that means loops like the one in ObjectMayHaveExtraIndexedProperties (src/jsarray.cpp) need to be rewritten to stop after a certain number of iterations, otherwise the browser hangs. Yuk! [1] https://bugs.ecmascript.org/show_bug.cgi?id=2437 [2] https://people.mozilla.org/~jorendorff/es6-draft.html#sec-invariants-of-the-essential-internal-methods Example from the spec bug report: ``` var obj1 = {}; var obj2 = {}; var obj3 = {}; var getPrototypeOfCalled = false; var setPrototypeOfCalled = false; var p3 = new Proxy(obj3, { getPrototypeOf(t) { print("getPrototypeOf called"); if (getPrototypeOfCalled && !setPrototypeOfCalled) { setPrototypeOfCalled = true; Object.setPrototypeOf(obj2, obj1); } getPrototypeOfCalled = true; return Reflect.getPrototypeOf(t); } }); Object.setPrototypeOf(obj2, p3); Object.setPrototypeOf(obj1, obj2); print(`Object.getPrototypeOf(obj1) === obj2? ${Object.getPrototypeOf(obj1) === obj2}`); print(`Object.getPrototypeOf(obj2) === obj1? ${Object.getPrototypeOf(obj2) === obj1}`); ``` Output per ES6 (rev29, December 6, 2014 Draft): ``` getPrototypeOf called getPrototypeOf called Object.getPrototypeOf(obj1) === obj2? true Object.getPrototypeOf(obj2) === obj1? true ```
See also discussion from bug 1108895.
Blocks: 1108895
Attached patch protoSplinter Review
I reviewed all callsites to JSObject::getProto that are potentially dangerous, but I am not sure if I got them all. We also need to review the rest of the browser, which can call JS_GetPrototype or js::GetObjectProto.
Attached patch testsSplinter Review
This tests the places where we would otherwise hang.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: