MergeSort needs to invoke callFunction

RESOLVED FIXED in Firefox 51

Status

()

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: anba, Assigned: efaust, Mentored)

Tracking

(Blocks: 1 bug)

Trunk
mozilla51
Points:
---

Firefox Tracking Flags

(firefox50 affected, firefox51 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Test case:
---
Function.prototype.call = function() {
    return "kaboom";
};
r = [].sort.apply(new Int8Array(0), [(a, b) => (a - b)|0]);
print("result", r);
---

Expected: Doesn't print "kaboom"
Actual: Prints "kaboom"
(Reporter)

Comment 1

2 years ago
BytecodeEmitter::emitDebugOnlyCheckSelfHosted() is not called for JSOP_FUNAPPLY/JSOP_FUNCALL, is it? Because I'd normally expect a debug warning for the (call-)method syntax in [1].

[1] http://hg.mozilla.org/mozilla-central/file/4a18b5cacb1b/js/src/builtin/Sorting.js#l240
Flags: needinfo?(efaustbmo)
Blocks: 1291005
Mentor: winter2718
(Assignee)

Comment 2

2 years ago
Created attachment 8777559 [details] [diff] [review]
Fix

Nice find, thanks!

Just remove method calls again. We re-added them optimistically when we added callContentFunction, but there's no reason to, and it avoids this kind of nonsense. This is less ergonomic, but safer.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8777559 - Flags: review?(till)
Comment on attachment 8777559 [details] [diff] [review]
Fix

Review of attachment 8777559 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with comments addressed. Thank you for doing this.

::: js/src/frontend/Parser.cpp
@@ +8847,5 @@
>                  return handler.newSetThis(thisName, nextMember);
>              }
>  
> +            if (options().selfHostingMode && handler.isPropertyAccess(lhs)) {
> +                report(ParseError, false, null(), JSMSG_SELFHOSTED_METHOD_CALL);

I think this should be an ASSERT. There's no situation in which we would successfully complete startup after this error has been thrown, so we might just as well abort now.

::: js/src/js.msg
@@ +299,5 @@
>  MSG_DEF(JSMSG_REDECLARED_PARAM,        1, JSEXN_SYNTAXERR, "redeclaration of formal parameter {0}")
>  MSG_DEF(JSMSG_RESERVED_ID,             1, JSEXN_SYNTAXERR, "{0} is a reserved identifier")
>  MSG_DEF(JSMSG_REST_WITH_DEFAULT,       0, JSEXN_SYNTAXERR, "rest parameter may not have a default")
>  MSG_DEF(JSMSG_SELFHOSTED_TOP_LEVEL_LEXICAL, 1, JSEXN_SYNTAXERR, "self-hosted code cannot contain top-level {0} declarations")
> +MSG_DEF(JSMSG_SELFHOSTED_METHOD_CALL,  0, JSEXN_SYNTAXERR, "self-hosted code may not contain direct method calls. Use callFunction() or callContentFunction()")

... which would obviate the need for this.
Attachment #8777559 - Flags: review?(till) → review+

Comment 4

2 years ago
Pushed by efaustbmo@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec1190dcff7c
Re-disallow method calls in self-hosted code. (r=till)
(Assignee)

Comment 5

2 years ago
Till and I discussed the review on IRC, and agreed to go with the original patch.

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ec1190dcff7c
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.