Closed Bug 560734 Opened 14 years ago Closed 7 months ago

shape of all String objects is identical

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gal, Unassigned)

Details

shapeOf(new String("")) == shapeOf(new String("1"))

Even though

"0" in (new String("")) == false
"0" in (new String("1")) == true

This might be a problem for other classes, too.
This bit me trying to cache iterators for string objects.
To add injury to insult, once the enumerate hook instantiates the properties, the shape changes. Lame.

js> var s = new String("1")
js> print(shapeOf(s))
227
js> for (i in s) print(i) 
0
js> print(shapeOf(s))
232
Group: core-security
I think this is exploitable. PoC to follow. Hiding in the mean time.
Actually, I think we should be safe. I was worried that its possible to record a trace (or cause a prop cache entry) with the wrong shape, but it seems thats not possible because if either the resolve hook or the enumerate hook run, the shape gets updated and that new shape goes into the prop cache or onto the trace. jorendorff, can you double check my math and then open up the bug?
You may recall us implementing TM in 2008, force-filling the property cache from the tracer, including lookup -> resolve?

Jason noted the bug that we don't guarantee that resolve is called on trace, but we rely on shape guards. See bug 519770.

/be
Group: core-security
Yeah. I am working around this in my iteration patch by not relying on shape for iterator caching if there are enumeration hooks. Lame^2 but it works.
Assignee: general → nobody
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.