Bug 239440 - Harden setPrototypeOf().
Summary: Harden setPrototypeOf().
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-04-17 14:42 PDT by Mark Lam
Modified: 2022-04-18 10:15 PDT (History)
2 users (show)

See Also:

Attachments
patch for landing. (5.43 KB, patch)
2022-04-17 14:51 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2022-04-17 14:42:53 PDT 
<rdar://problem/91761043>
Comment 1 Mark Lam 2022-04-17 14:51:16 PDT 
Created attachment 457778 [details]
patch for landing.
Comment 2 Mark Lam 2022-04-17 14:54:02 PDT 
Landed in r292950: <http://trac.webkit.org/r292950>.
Comment 3 Saam Barati 2022-04-18 10:15:30 PDT 
Comment on attachment 457778 [details]
patch for landing.

View in context: https://bugs.webkit.org/attachment.cgi?id=457778&action=review

> Source/JavaScriptCore/runtime/JSObject.cpp:1881
> +    else if (UNLIKELY(!prototype.isNull())) // Conservative hardening.
> +        return;

should the above just be a release assert and we can remove this?