[Webkit-unassigned] [Bug 172572] New: JSObject::getPropertySlot does not appear to access the prototype in a safe way

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 24 19:53:06 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=172572

            Bug ID: 172572
           Summary: JSObject::getPropertySlot does not appear to access
                    the prototype in a safe way
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sbarati at apple.com
                CC: benjamin at webkit.org, fpizlo at apple.com,
                    ggaren at apple.com, gskachkov at gmail.com,
                    jfbastien at apple.com, keith_miller at apple.com,
                    mark.lam at apple.com, msaboff at apple.com,
                    ticaiolima at gmail.com, utatane.tea at gmail.com

It just accesses Structure's storedPrototype, which may not call the method table method.

See:
```
// It may seem crazy to inline a function this large but it makes a big difference
// since this is function very hot in variable lookup
ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
    VM& vm = exec->vm();
    auto& structureIDTable = vm.heap.structureIDTable();
    JSObject* object = this;
    while (true) {
        if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
            // If propertyName is an index then we may have missed it (as this loop is using
            // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot
            // (lest we return a property from a prototype that is shadowed). Check now for an index,
            // if so we need to start afresh from this object.
            if (std::optional<uint32_t> index = parseIndex(propertyName))
                return getPropertySlot(exec, index.value(), slot);
            // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid
            // parsing the int again.
            return object->getNonIndexPropertySlot(exec, propertyName, slot);
        }
        ASSERT(object->type() != ProxyObjectType);
        Structure* structure = structureIDTable.get(object->structureID());
        if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
            return true;
        JSValue prototype = structure->storedPrototype();
        if (!prototype.isObject())
            break;
        object = asObject(prototype);
    }

    if (std::optional<uint32_t> index = parseIndex(propertyName))
        return getPropertySlot(exec, index.value(), slot);
    return false;
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170525/2bdd5fe7/attachment.html>

More information about the webkit-unassigned mailing list