Open Bug 1110083 Opened 9 years ago Updated 1 year ago

Review existing getProto call sites for safety

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: anba, Unassigned)

References

Details

Attachments

(2 files)

proto
2.94 KB, patch
Details | Diff | Splinter Review
tests
2.15 KB, patch
Details | Diff | Splinter Review 
Somewhat similar to bug 914830, therefore I've cc'ed everyone from that bug.

Circular prototype chains are going to be possible in ES6. Apparently [1] was closed by removing the finite prototype chain length requirement from [[GetPrototypeOf]] in "6.1.7.3 Invariants of the Essential Internal Methods" [2]. And that means loops like the one in ObjectMayHaveExtraIndexedProperties (src/jsarray.cpp) need to be rewritten to stop after a certain number of iterations, otherwise the browser hangs. Yuk!


[1] https://bugs.ecmascript.org/show_bug.cgi?id=2437
[2] https://people.mozilla.org/~jorendorff/es6-draft.html#sec-invariants-of-the-essential-internal-methods


Example from the spec bug report:
```
var obj1 = {};
var obj2 = {};
var obj3 = {};

var getPrototypeOfCalled = false;
var setPrototypeOfCalled = false;
var p3 = new Proxy(obj3, {
  getPrototypeOf(t) {
    print("getPrototypeOf called");
    if (getPrototypeOfCalled && !setPrototypeOfCalled) {
      setPrototypeOfCalled = true;
      Object.setPrototypeOf(obj2, obj1);
    }
    getPrototypeOfCalled = true;
    return Reflect.getPrototypeOf(t);
  }
});

Object.setPrototypeOf(obj2, p3);
Object.setPrototypeOf(obj1, obj2);

print(`Object.getPrototypeOf(obj1) === obj2? ${Object.getPrototypeOf(obj1) === obj2}`);
print(`Object.getPrototypeOf(obj2) === obj1? ${Object.getPrototypeOf(obj2) === obj1}`);
```


Output per ES6 (rev29, December 6, 2014 Draft):
```
getPrototypeOf called
getPrototypeOf called
Object.getPrototypeOf(obj1) === obj2? true
Object.getPrototypeOf(obj2) === obj1? true
```
See also discussion from bug 1108895.
Blocks: 1108895
Attached patch protoSplinter Review 
I reviewed all callsites to JSObject::getProto that are potentially dangerous, but I am not sure if I got them all. We also need to review the rest of the browser, which can call JS_GetPrototype or js::GetObjectProto.
Attached patch testsSplinter Review 
This tests the places where we would otherwise hang.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.