Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Oct 2016 03:52:29 +0000 (03:52 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Oct 2016 03:52:29 +0000 (03:52 +0000)
commit4ed9b35db933b7c086917cdc02456b81a8df686b
treeb33a0a49991b7447e1ff7fd3d07ef29f0ada57d3
parent326b0e1bc5fed183f149f76a7c26aa40adeb4d21
Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
https://bugs.webkit.org/show_bug.cgi?id=154377
<rdar://problem/27330808>

Reviewed by Filip Pizlo and Saam Barati.

JSTests:

* stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js: Added.

Source/JavaScriptCore:

In a scenario where we cache the __proto__ accessors in global variables, and
later explicitly invoke those accessors as functions, the spec for Function Calls
(see https://tc39.github.io/ecma262/#sec-function-calls) states that the function
ref value is of type Reference, and base of ref is an Environment Record.  Then,
it follows that the thisValue should be set to refEnv.WithBaseObject()
(see section 4.b.ii of 12.3.4.1 at
https://tc39.github.io/ecma262/#sec-function-calls-runtime-semantics-evaluation).

refEnv in this case is the environment record that the cached accessors were
found in i.e. the global object.  The WithBaseObject() of the global object is
undefined (see details about WithBaseObject at
https://tc39.github.io/ecma262/#sec-environment-records).

Hence, the __proto__ accessors should see a thisValue of undefined, and throw
TypeErrors.  See https://tc39.github.io/ecma262/#sec-get-object.prototype.__proto__,
https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__,
https://tc39.github.io/ecma262/#sec-toobject, and
https://tc39.github.io/ecma262/#sec-requireobjectcoercible.

In JSC's implementation, the callee needs to do a ToThis operation on the
incoming "this" argument in order to get the specified thisValue.  The
implementations of the __proto__ accessors were not doing this correctly.  This
has now been fixed.

* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):

LayoutTests:

* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
* js/dom/activation-proto-expected.txt:
* js/dom/script-tests/activation-proto.js:
* js/object-literal-shorthand-construction-expected.txt:
* js/script-tests/object-literal-shorthand-construction.js:
* js/script-tests/sloppy-getter-setter-global-object.js:
* js/sloppy-getter-setter-global-object-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207518 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
JSTests/ChangeLog
JSTests/stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js [new file with mode: 0644]
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html
LayoutTests/js/dom/activation-proto-expected.txt
LayoutTests/js/dom/script-tests/activation-proto.js
LayoutTests/js/object-literal-shorthand-construction-expected.txt
LayoutTests/js/script-tests/object-literal-shorthand-construction.js
LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js
LayoutTests/js/sloppy-getter-setter-global-object-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp