[Webkit-unassigned] [Bug 199292] JSON.parse incorrectly handles array proxies

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 2 14:26:48 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199292

Yusuke Suzuki <ysuzuki at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ysuzuki at apple.com
 Attachment #373059|review?, commit-queue?      |review-, commit-queue-
              Flags|                            |

--- Comment #2 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 373059
  --> https://bugs.webkit.org/attachment.cgi?id=373059
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373059&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        1. Use isArray to correctly detect proxied arrays.
> +        2. Make "length" lookup observable to array proxies and handle exceptions.

Let's add each test in addition to test262 to ensure this behavior.

> Source/JavaScriptCore/runtime/JSONObject.cpp:675
> +                ASSERT(isArray(m_exec, inValue));
>                  if (markedStack.size() > maximumFilterRecursion)
>                      return throwStackOverflowError(m_exec, scope);
>  
> -                JSArray* array = asArray(inValue);
> +                auto array = asObject(inValue);
>                  markedStack.appendWithCrashOnOverflow(array);
> -                arrayLengthStack.append(array->length());
> +                unsigned length = isJSArray(array)
> +                    ? asArray(array)->length()
> +                    : array->get(m_exec, vm.propertyNames->length).toUInt32(m_exec);
> +                RETURN_IF_EXCEPTION(scope, { });
> +                arrayLengthStack.append(length);

`isArray` is user-observable, side-effect operations. When we encounter the revoked Proxy, then we throw an error.
So,

1. When `isArray` is used, we need to do error-handling correctly.
2. Since this error is observable (like, throwing an error before/after the other operations, which can be observable to users), when calling `isArray` becomes important.

Is this `isArray()` call specified in the spec?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190702/0aded370/attachment.html>

More information about the webkit-unassigned mailing list