Changeset 60390 in webkit for trunk/JavaScriptCore/runtime


Ignore:
Timestamp:
May 28, 2010, 11:16:25 PM (15 years ago)
Author:
[email protected]
Message:

2010-05-28 Jedrzej Nowacki <[email protected]>

Reviewed by Geoffrey Garen.

Fix the JSObjectSetPrototype function.

A cycle in a prototype chain can cause an application hang or
even crash.
A check for a prototype chain cycles was added to
the JSObjectSetPrototype.

JSObjectSetPrototype doesn't check for cycle in prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=39360

  • API/JSObjectRef.cpp: (JSObjectSetPrototype):
  • API/tests/testapi.c: (assertTrue): (checkForCycleInPrototypeChain): (main):
  • runtime/JSObject.cpp: (JSC::JSObject::put):
  • runtime/JSObject.h: (JSC::JSObject::setPrototypeWithCycleCheck):
Location:
trunk/JavaScriptCore/runtime
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/runtime/JSObject.cpp

    r59811 r60390  
    105105        if (!value.isObject() && !value.isNull())
    106106            return;
    107 
    108         JSValue nextPrototypeValue = value;
    109         while (nextPrototypeValue && nextPrototypeValue.isObject()) {
    110             JSObject* nextPrototype = asObject(nextPrototypeValue)->unwrappedObject();
    111             if (nextPrototype == this) {
    112                 throwError(exec, GeneralError, "cyclic __proto__ value");
    113                 return;
    114             }
    115             nextPrototypeValue = nextPrototype->prototype();
    116         }
    117 
    118         setPrototype(value);
     107        if (!setPrototypeWithCycleCheck(value))
     108            throwError(exec, GeneralError, "cyclic __proto__ value");
    119109        return;
    120110    }

  • trunk/JavaScriptCore/runtime/JSObject.h

    r59941 r60390  
    8989        JSValue prototype() const;
    9090        void setPrototype(JSValue prototype);
     91        bool setPrototypeWithCycleCheck(JSValue prototype);
    9192       
    9293        void setStructure(NonNullPassRefPtr<Structure>);
     
    311312{
    312313    return m_structure->storedPrototype();
     314}
     315
     316inline bool JSObject::setPrototypeWithCycleCheck(JSValue prototype)
     317{
     318    JSValue nextPrototypeValue = prototype;
     319    while (nextPrototypeValue && nextPrototypeValue.isObject()) {
     320        JSObject* nextPrototype = asObject(nextPrototypeValue)->unwrappedObject();
     321        if (nextPrototype == this)
     322            return false;
     323        nextPrototypeValue = nextPrototype->prototype();
     324    }
     325    setPrototype(prototype);
     326    return true;
    313327}
    314328
Note: See TracChangeset for help on using the changeset viewer.