Context Navigation

← Previous Change
Next Change →

JSFunction.cpp

Timestamp:

Nov 15, 2010, 10:05:38 PM (15 years ago)

Author:

[email protected]

Message:

Bug 49577 - Function.prototype should be non-configurable

Reviewed by Sam Weinig.

JavaScriptCore:

JSC lazily allocates the prototype property of Function objects.

We check the prototype exists on 'get', but not on 'put'.
If you 'put' without having first done a 'get' you can end up with a configurable
prototype (prototype should only ever be non-configurable).

This is visible in a couple of ways:

'delete' on the property may succeed. (the next access will result in a new, reset prototype object).
the prototype may be set to a getter.

runtime/JSFunction.cpp:

(JSC::JSFunction::getOwnPropertyNames):

Reify the prototype property before allowing an enumerate including don't enum properties.

(JSC::JSFunction::put):

Reify the prototype property before any put to it.

LayoutTests:

fast/js/script-tests/Object-getOwnPropertyNames.js:
fast/js/Object-getOwnPropertyNames-expected.txt:

Object.getOwnPropertyNames should enumerate the 'prototype' property on Functions.

fast/js/function-prototype-descriptor.html: Added.
fast/js/function-prototype-descriptor-expected.txt: Added.
fast/js/script-tests/function-prototype-descriptor.js: Added.

Test the attributes of Functions' prototype properties.

File:

: 1 edited

trunk/JavaScriptCore/runtime/JSFunction.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/runtime/JSFunction.cpp

-              r72050
+              r72063
+{
     if (!isHostFunction() && (mode == IncludeDontEnumProperties)) {
+        // Make sure prototype has been reified.
+        PropertySlot slot;
+        getOwnPropertySlot(exec, exec->propertyNames().prototype, slot);
         propertyNames.add(exec->propertyNames().arguments);
         propertyNames.add(exec->propertyNames().callee);
 …
         Base::put(exec, propertyName, value, slot);
         return;
+    }
+    if (propertyName == exec->propertyNames().prototype) {
+        // Make sure prototype has been reified, such that it can only be overwritten
+        // following the rules set out in ECMA-262 8.12.9.
+        PropertySlot slot;
+        getOwnPropertySlot(exec, propertyName, slot);
+    }
     if (jsExecutable()->isStrictMode()) {

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 72063 in webkit for trunk/JavaScriptCore/runtime/JSFunction.cpp

Legend:

trunk/JavaScriptCore/runtime/JSFunction.cpp

Download in other formats: