Context Navigation

← Previous Change
Next Change →

runtime

Timestamp:

Feb 29, 2016, 7:48:36 PM (9 years ago)

Author:

Yusuke Suzuki

Message:

[JSC] Private symbols should not be trapped by proxy handler
https://bugs.webkit.org/show_bug.cgi?id=154817

Reviewed by Mark Lam.

Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
For example, in ArrayIteratorPrototype.js

var itemKind = this.@arrayIterationKind;
if (itemKind === @undefined)

throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");

Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.

To avoid these situation, we perform the default operations onto property operations with private symbols.

runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::deleteProperty):
(JSC::ProxyObject::deletePropertyByIndex):

tests/stress/proxy-basic.js:
tests/stress/proxy-with-private-symbols.js: Added.

(assert):
(let.handler.getOwnPropertyDescriptor):

File:

: 1 edited

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

-              r197295
+              r197383
     ProxyObject* proxyObject = jsCast<ProxyObject*>(proxyObjectAsObject);
+    JSObject* target = proxyObject->target();
+    auto performDefaultGet = [&] {
+        return JSValue::encode(target->get(exec, propertyName));
+    };
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+        return performDefaultGet();
     JSValue handlerValue = proxyObject->handler();
     if (handlerValue.isNull())
 …
         return JSValue::encode(jsUndefined());
-    JSObject* target = proxyObject->target();
     if (getHandler.isUndefined())
         return JSValue::encode(target->get(exec, propertyName));
+        return performDefaultGet();
     MarkedArgumentBuffer arguments;
 …
+{
     VM& vm = exec->vm();
+    JSObject* target = this->target();
+    auto performDefaultGetOwnProperty = [&] {
+        return target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot);
+    };
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+        return performDefaultGetOwnProperty();
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
 …
     if (exec->hadException())
         return false;
-    JSObject* target = this->target();
     if (getOwnPropertyDescriptorMethod.isUndefined())
         return target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot);
+        return performDefaultGetOwnProperty();
     MarkedArgumentBuffer arguments;
 …
+{
     VM& vm = exec->vm();
+    JSObject* target = this->target();
     slot.setValue(this, None, jsUndefined()); // Nobody should rely on our value, but be safe and protect against any bad actors reading our value.
+    auto performDefaultHasProperty = [&] {
+        return target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot);
+    };
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+        return performDefaultHasProperty();
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
 …
     if (exec->hadException())
         return false;
-    JSObject* target = this->target();
     if (hasMethod.isUndefined())
         return target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot);
+        return performDefaultHasProperty();
     MarkedArgumentBuffer arguments;
 …
 template <typename PerformDefaultPutFunction>
+void ProxyObject::performPut(ExecState* exec, JSValue putValue, JSValue thisValue, PropertyName propertyName, PerformDefaultPutFunction performDefaultPutFunction)
+{
+    VM& vm = exec->vm();
+void ProxyObject::performPut(ExecState* exec, JSValue putValue, JSValue thisValue, PropertyName propertyName, PerformDefaultPutFunction performDefaultPut)
+{
+    VM& vm = exec->vm();
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+        return performDefaultPut();
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
 …
     JSObject* target = this->target();
     if (setMethod.isUndefined()) {
         performDefaultPutFunction();
+        performDefaultPut();
         return;
+    }
 …
 template <typename DefaultDeleteFunction>
+bool ProxyObject::performDelete(ExecState* exec, PropertyName propertyName, DefaultDeleteFunction defaultDeleteFunction)
+{
+    VM& vm = exec->vm();
+bool ProxyObject::performDelete(ExecState* exec, PropertyName propertyName, DefaultDeleteFunction performDefaultDelete)
+{
+    VM& vm = exec->vm();
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+        return performDefaultDelete();
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
 …
     JSObject* target = this->target();
     if (deletePropertyMethod.isUndefined())
         return defaultDeleteFunction();
+        return performDefaultDelete();
     MarkedArgumentBuffer arguments;
 …
+{
     ProxyObject* thisObject = jsCast<ProxyObject*>(cell);
     auto defaultDelete = [&] () -> bool {
+    auto performDefaultDelete = [&] () -> bool {
         JSObject* target = jsCast<JSObject*>(thisObject->target());
         return target->methodTable(exec->vm())->deleteProperty(target, exec, propertyName);
     };
     return thisObject->performDelete(exec, propertyName, defaultDelete);
+    return thisObject->performDelete(exec, propertyName, performDefaultDelete);
+}
 …
     if (exec->hadException())
         return false;
     auto defaultDelete = [&] () -> bool {
+    auto performDefaultDelete = [&] () -> bool {
         JSObject* target = jsCast<JSObject*>(thisObject->target());
         return target->methodTable(exec->vm())->deletePropertyByIndex(target, exec, propertyName);
     };
     return thisObject->performDelete(exec, ident.impl(), defaultDelete);
+    return thisObject->performDelete(exec, ident.impl(), performDefaultDelete);
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 197383 in webkit for trunk/Source/JavaScriptCore/runtime

Legend:

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

Download in other formats: