Bug 239440

Summary:

Harden setPrototypeOf().

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
patch for landing.	none

Description Mark Lam 2022-04-17 14:42:53 PDT

<rdar://problem/91761043>

Comment 1 Mark Lam 2022-04-17 14:51:16 PDT

Created attachment 457778 [details]
patch for landing.

Comment 2 Mark Lam 2022-04-17 14:54:02 PDT

Landed in r292950: <http://trac.webkit.org/r292950>.

Comment 3 Saam Barati 2022-04-18 10:15:30 PDT

Comment on attachment 457778 [details]
patch for landing.

View in context: https://bugs.webkit.org/attachment.cgi?id=457778&action=review

> Source/JavaScriptCore/runtime/JSObject.cpp:1881
> +    else if (UNLIKELY(!prototype.isNull())) // Conservative hardening.
> +        return;

should the above just be a release assert and we can remove this?