Closed
Bug 583262
Opened 14 years ago
Closed 14 years ago
Security checks on f.prototype.constructor property (CheckCtorGetAccess, CheckCtorSetAccess) can die now
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla2.0b8
People
(Reporter: jorendorff, Assigned: jorendorff)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
2.83 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
The comment on CheckCtorGetAccess says: > * For shared precompilation of function objects, we support cloning on entry > * to an execution context in which the function declaration or expression > * should be processed as if it were not precompiled, where the precompiled > * function's scope chain does not match the execution context's. The cloned > * function object carries its execution-context scope in its parent slot; it > * links to the precompiled function (the "clone-parent") via its proto slot. We don't do that anymore. Now we use the private slot. > * Note that this prototype-based delegation leaves an unchecked access path > * from the clone to the clone-parent's 'constructor' property. If the clone > * lives in a less privileged or shared scope than the clone-parent, this is > * a security hole, a sharing hazard, or both. I don't know how this *ever* worked. You could just say f.valueOf.call(null) and you would have the clone-parent's global, right? Anyway, unless I'm mistaken those checks have been unnecessary for an unsigned long long time.
Assignee | ||
Comment 1•14 years ago
|
||
Assignee: general → jorendorff
Attachment #461565 -
Flags: review?(mrbkap)
Comment 2•14 years ago
|
||
Oh, that is some ancient crap there... /be
Comment 3•14 years ago
|
||
Comment on attachment 461565 [details] [diff] [review] v1 This is the reason that we needed all of those security checks in eval. cloned_fun.eval was actually the original function's scope's eval. This was fixed by bug 300079.
Attachment #461565 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/c6131ed87e9c
Whiteboard: [fixed-in-tracemonkey]
Comment 5•14 years ago
|
||
What a relief -- that lightened the load. /be
Comment 6•14 years ago
|
||
backed out: http://hg.mozilla.org/mozilla-central/rev/f7478476c9a5 caused bug 584437
Whiteboard: [fixed-in-tracemonkey]
Assignee | ||
Comment 7•14 years ago
|
||
We should try this again. Bug 584565 (which caused bug 584437) was revealed by the change, not directly caused by it. And I think that was a fluke. It's worth just one more try before ff4. If it uncovers still more tracer brokenness, then I'll hold my fire. If you disagree, speak up now.
Comment 8•14 years ago
|
||
No, please, be try again. If we still need these bogo checks something is rotten in Denmark... /be
Assignee | ||
Comment 10•14 years ago
|
||
Waldo, feel free to take this and run with it. I'm off today or I'd do it myself.
Comment 11•14 years ago
|
||
I pushed the patch to try several days ago, nothing broke, so I just pushed to TM: http://hg.mozilla.org/tracemonkey/rev/d3f5185f0392
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
Version: Other Branch → Trunk
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d3f5185f0392
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•