WebKit Bugzilla
Attachment 370448 Details for
Bug 198138
: createListFromArrayLike should throw if value is not an object
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198138-20190523000230.patch (text/plain), 4.63 KB, created by
Tadeu Zagallo
on 2019-05-22 15:02:32 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2019-05-22 15:02:32 PDT
Size:
4.63 KB
patch
obsolete
>Subversion Revision: 245648 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 9d141dfe3700364b88fbdae27fbbe8df539ebe73..0a0243de45c3dd5c06ae6cd54facc3c50c133d49 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,17 @@ >+2019-05-21 Tadeu Zagallo <tzagallo@apple.com> >+ >+ createListFromArrayLike should throw if value is not an object >+ https://bugs.webkit.org/show_bug.cgi?id=198138 >+ >+ Reviewed by Yusuke Suzuki. >+ >+ According to the spec[1], createListFromArrayLike should throw a type error if the array-like value >+ passed in is not an object. >+ [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike >+ >+ * runtime/JSObjectInlines.h: >+ (JSC::createListFromArrayLike): >+ > 2019-05-22 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r245634. >diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h >index 83dc23dc8cbb5b981e8afc9147899316b7ccc31c..6887d169c1da904ec1e334726cc83877fcdebd99 100644 >--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h >+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h >@@ -37,6 +37,11 @@ void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTyp > { > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); >+ >+ if (!arrayLikeValue.isObject()) { >+ throwTypeError(exec, scope, "Proxy handler's 'ownKeys' method must return an object"_s); >+ return; >+ } > > Vector<JSValue> result; > JSValue lengthProperty = arrayLikeValue.get(exec, vm.propertyNames->length); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 016fe014926479921280074dd526759f0392d761..59d401f227fc27e4373eee3ef9c406b6f5fdd5e0 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,19 @@ >+2019-05-21 Tadeu Zagallo <tzagallo@apple.com> >+ >+ createListFromArrayLike should throw if value is not an object >+ https://bugs.webkit.org/show_bug.cgi?id=198138 >+ >+ Reviewed by Yusuke Suzuki. >+ >+ * stress/create-list-from-array-like-not-object.js: Added. >+ (testValid): >+ (testInvalid): >+ * stress/proxy-proto-enumerator.js: Added. >+ (main): >+ * stress/proxy-proto-own-keys.js: Added. >+ (assert): >+ (ownKeys): >+ > 2019-05-22 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r245634. >diff --git a/JSTests/stress/create-list-from-array-like-not-object.js b/JSTests/stress/create-list-from-array-like-not-object.js >new file mode 100644 >index 0000000000000000000000000000000000000000..144096aa015404d52182c7b27bd19ef2f702605b >--- /dev/null >+++ b/JSTests/stress/create-list-from-array-like-not-object.js >@@ -0,0 +1,25 @@ >+function testValid(value) { >+ const foo = {x: 0}; >+ foo.__proto__ = new Proxy({}, { ownKeys() { return value; } }); >+ for (const x in foo) { } >+} >+ >+testValid({}); >+testValid([]); >+testValid(["x", Symbol("y")]); >+testValid({ length: 1, 0: 'x' }); >+ >+function testInvalid(value) { >+ try { >+ testValid(value); >+ throw new Error('should have thrown'); >+ } catch (err) { >+ if (err.message !== "Proxy handler's 'ownKeys' method must return an object") >+ throw new Error("Expected createListFromArrayLike error"); >+ } >+} >+ >+testInvalid(true); >+testInvalid(false); >+testInvalid(null); >+testInvalid(0); >diff --git a/JSTests/stress/proxy-proto-enumerator.js b/JSTests/stress/proxy-proto-enumerator.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d26aad0fb656c03a10d36596c87fdcb59e1f2d07 >--- /dev/null >+++ b/JSTests/stress/proxy-proto-enumerator.js >@@ -0,0 +1,10 @@ >+//@ requireOptions("--forceEagerCompilation=true", "--useConcurrentJIT=false") >+ >+function main() { >+ const foo = {x: 0}; >+ foo.__proto__ = new Proxy({}, { ownKeys() { return []; } }); >+ for (const x in foo) { } >+} >+ >+for (let i = 0; i < 0x1000; i++) >+ main(); >diff --git a/JSTests/stress/proxy-proto-own-keys.js b/JSTests/stress/proxy-proto-own-keys.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5ac59fdfd904fa941235852b9fc932419f29de27 >--- /dev/null >+++ b/JSTests/stress/proxy-proto-own-keys.js >@@ -0,0 +1,15 @@ >+function assert(condition, message) { >+ if (!condition) >+ throw new Error(message); >+} >+ >+const foo = {x: 0}; >+foo.__proto__ = new Proxy({y: 1}, { ownKeys() { return ['y']; } }); >+const keys = []; >+for (const x in foo) { >+ keys.push(x); >+} >+ >+assert(keys.length == 2, "Should have 2 keys"); >+assert(keys.includes("x"), "Should have key `x`"); >+assert(keys.includes("y"), "Should have key `y`");
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370448">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198138
:
370440
|
370448
|
370492