YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix prototype chain traversing (#4458)

Browse Source 
After the introduction of the Proxy builtin object there was
a possibility to traverse the prototype chain with an invalid object.
The prototype was freed before it's data/properties were queried resulting
in accessing invalid information.

By forcing the allocator to always do a gc (`--mem-stres-test=on` build option)
it was possible to trigger the issue without complicated tests.

New internal method:
* `ecma_op_object_get_prototype_of` which always returns the prototype
  of an object and the return value must be freed (if it is valid).

Updated prototype chain traversing in:
* `jerry_object_get_property_names`
* `ecma_builtin_object_prototype_lookup_getter_setter`
* `ecma_op_function_has_instance`
* `ecma_op_function_get_super_constructor`
* `ecma_op_object_is_prototype_of`
* `ecma_op_object_enumerate`

Removed method `ecma_proxy_object_prototype_to_cp`

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
This commit is contained in:
Péter Gál
2021-01-15 20:54:09 +01:00
committed by GitHub
parent abedab5ac2
commit 5e483633f3
8 changed files with 198 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/operations/ecma-objects.c
+80 -48
View File
@@ -1989,6 +1989,55 @@ ecma_op_object_has_instance (ecma_object_t *obj_p, /**< the object */
return ecma_raise_type_error (ECMA_ERR_MSG ("Expected a function object."));
} /* ecma_op_object_has_instance */
/**
* General [[GetPrototypeOf]] abstract operation
*
* Note: returned valid object must be freed.
*
* @return ecma_object_t * - prototype of the input object.
* ECMA_OBJECT_POINTER_ERROR - error reported during Proxy resolve.
* NULL - the input object does not have a prototype.
*/
ecma_object_t *
ecma_op_object_get_prototype_of (ecma_object_t *obj_p) /**< input object */
{
JERRY_ASSERT (obj_p != NULL);
#if ENABLED (JERRY_BUILTIN_PROXY)
if (ECMA_OBJECT_IS_PROXY (obj_p))
{
ecma_value_t proto = ecma_proxy_object_get_prototype_of (obj_p);
if (ECMA_IS_VALUE_ERROR (proto))
{
return ECMA_OBJECT_POINTER_ERROR;
}
if (ecma_is_value_null (proto))
{
return NULL;
}
JERRY_ASSERT (ecma_is_value_object (proto));
return ecma_get_object_from_value (proto);
}
else
#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
{
jmem_cpointer_t proto_cp = ecma_op_ordinary_object_get_prototype_of (obj_p);
if (proto_cp == JMEM_CP_NULL)
{
return NULL;
}
ecma_object_t *proto_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, proto_cp);
ecma_ref_object (proto_p);
return proto_p;
}
} /* ecma_op_object_get_prototype_of */
/**
* Object's isPrototypeOf operation
*
@@ -2003,40 +2052,31 @@ ecma_value_t
ecma_op_object_is_prototype_of (ecma_object_t *base_p, /**< base object */
ecma_object_t *target_p) /**< target object */
{
ecma_ref_object (target_p);
do
{
jmem_cpointer_t target_cp;
#if ENABLED (JERRY_BUILTIN_PROXY)
if (ECMA_OBJECT_IS_PROXY (target_p))
{
ecma_value_t target_proto = ecma_proxy_object_get_prototype_of (target_p);
ecma_object_t *proto_p = ecma_op_object_get_prototype_of (target_p);
ecma_deref_object (target_p);
if (ECMA_IS_VALUE_ERROR (target_proto))
{
return target_proto;
}
target_cp = ecma_proxy_object_prototype_to_cp (target_proto);
}
else
{
#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
target_cp = ecma_op_ordinary_object_get_prototype_of (target_p);
#if ENABLED (JERRY_BUILTIN_PROXY)
}
#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
if (target_cp == JMEM_CP_NULL)
if (proto_p == NULL)
{
return ECMA_VALUE_FALSE;
}
target_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, target_cp);
if (target_p == base_p)
else if (proto_p == ECMA_OBJECT_POINTER_ERROR)
{
return ECMA_VALUE_ERROR;
}
else if (proto_p == base_p)
{
ecma_deref_object (proto_p);
return ECMA_VALUE_TRUE;
}
} while (true);
/* Advance up on prototype chain. */
target_p = proto_p;
}
while (true);
} /* ecma_op_object_is_prototype_of */
/**
@@ -2489,8 +2529,7 @@ ecma_op_object_enumerate (ecma_object_t *obj_p) /**< object */
ecma_collection_t *visited_names_p = ecma_new_collection ();
ecma_collection_t *return_names_p = ecma_new_collection ();
jmem_cpointer_t obj_cp;
ECMA_SET_NON_NULL_POINTER (obj_cp, obj_p);
ecma_ref_object (obj_p);
while (true)
{
@@ -2501,6 +2540,7 @@ ecma_op_object_enumerate (ecma_object_t *obj_p) /**< object */
{
ecma_collection_free (return_names_p);
ecma_collection_free (visited_names_p);
ecma_deref_object (obj_p);
return keys;
}
#endif /* ENABLED (JERRY_ESNEXT) */
@@ -2525,6 +2565,7 @@ ecma_op_object_enumerate (ecma_object_t *obj_p) /**< object */
ecma_collection_free (keys);
ecma_collection_free (return_names_p);
ecma_collection_free (visited_names_p);
ecma_deref_object (obj_p);
return NULL;
}
@@ -2554,32 +2595,23 @@ ecma_op_object_enumerate (ecma_object_t *obj_p) /**< object */
ecma_collection_free (keys);
#if ENABLED (JERRY_BUILTIN_PROXY)
if (ECMA_OBJECT_IS_PROXY (obj_p))
{
ecma_value_t parent = ecma_proxy_object_get_prototype_of (obj_p);
/* Query the prototype. */
ecma_object_t *proto_p = ecma_op_object_get_prototype_of (obj_p);
ecma_deref_object (obj_p);
if (ECMA_IS_VALUE_ERROR (parent))
{
ecma_collection_free (return_names_p);
ecma_collection_free (visited_names_p);
return NULL;
}
obj_cp = ecma_proxy_object_prototype_to_cp (parent);
}
else
#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
{
obj_cp = ecma_op_ordinary_object_get_prototype_of (obj_p);
}
if (obj_cp == JMEM_CP_NULL)
if (proto_p == NULL)
{
break;
}
else if (JERRY_UNLIKELY (proto_p == ECMA_OBJECT_POINTER_ERROR))
{
ecma_collection_free (return_names_p);
ecma_collection_free (visited_names_p);
return NULL;
}
obj_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, obj_cp);
/* Advance up on prototype chain. */
obj_p = proto_p;
}
ecma_collection_free (visited_names_p);