Closed
Bug 560734
Opened 14 years ago
Closed 7 months ago
shape of all String objects is identical
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gal, Unassigned)
Details
shapeOf(new String("")) == shapeOf(new String("1")) Even though "0" in (new String("")) == false "0" in (new String("1")) == true This might be a problem for other classes, too.
Reporter | ||
Comment 1•14 years ago
|
||
This bit me trying to cache iterators for string objects.
Reporter | ||
Comment 2•14 years ago
|
||
To add injury to insult, once the enumerate hook instantiates the properties, the shape changes. Lame. js> var s = new String("1") js> print(shapeOf(s)) 227 js> for (i in s) print(i) 0 js> print(shapeOf(s)) 232
Reporter | ||
Updated•14 years ago
|
Group: core-security
Reporter | ||
Comment 3•14 years ago
|
||
I think this is exploitable. PoC to follow. Hiding in the mean time.
Reporter | ||
Comment 4•14 years ago
|
||
Actually, I think we should be safe. I was worried that its possible to record a trace (or cause a prop cache entry) with the wrong shape, but it seems thats not possible because if either the resolve hook or the enumerate hook run, the shape gets updated and that new shape goes into the prop cache or onto the trace. jorendorff, can you double check my math and then open up the bug?
Comment 5•14 years ago
|
||
You may recall us implementing TM in 2008, force-filling the property cache from the tracer, including lookup -> resolve? Jason noted the bug that we don't guarantee that resolve is called on trace, but we rely on shape guards. See bug 519770. /be
Group: core-security
Reporter | ||
Comment 6•14 years ago
|
||
Yeah. I am working around this in my iteration patch by not relying on shape for iterator caching if there are enumeration hooks. Lame^2 but it works.
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Updated•2 years ago
|
Severity: normal → S3
Updated•7 months ago
|
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•