Changeset 60390 in webkit for trunk/JavaScriptCore/runtime/JSObject.h

Timestamp:

May 28, 2010, 11:16:25 PM (15 years ago)

Author:

[email protected]

Message:

2010-05-28 Jedrzej Nowacki <​[email protected]>

Reviewed by Geoffrey Garen.

Fix the JSObjectSetPrototype function.

A cycle in a prototype chain can cause an application hang or
even crash.
A check for a prototype chain cycles was added to
the JSObjectSetPrototype.

JSObjectSetPrototype doesn't check for cycle in prototype chain.
​https://bugs.webkit.org/show_bug.cgi?id=39360

• API/JSObjectRef.cpp: (JSObjectSetPrototype):
• API/tests/testapi.c: (assertTrue): (checkForCycleInPrototypeChain): (main):
• runtime/JSObject.cpp: (JSC::JSObject::put):
• runtime/JSObject.h: (JSC::JSObject::setPrototypeWithCycleCheck):

File:

• trunk/JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)

trunk/JavaScriptCore/runtime/JSObject.h

@@ -89 +89 @@
         JSValue prototype() const;
         void setPrototype(JSValue prototype);
+        bool setPrototypeWithCycleCheck(JSValue prototype);
         
         void setStructure(NonNullPassRefPtr<Structure>);
@@ -311 +312 @@
 {
     return m_structure->storedPrototype();
+}
+
+inline bool JSObject::setPrototypeWithCycleCheck(JSValue prototype)
+{
+    JSValue nextPrototypeValue = prototype;
+    while (nextPrototypeValue && nextPrototypeValue.isObject()) {
+        JSObject* nextPrototype = asObject(nextPrototypeValue)->unwrappedObject();
+        if (nextPrototype == this)
+            return false;
+        nextPrototypeValue = nextPrototype->prototype();
+    }
+    setPrototype(prototype);
+    return true;
 }