52672 2011-01-18 15:08:15 -0800 [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion 2011-01-19 12:19:27 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 13638 1 oliver oliver barraclough ggaren jruderman msaboff oldest_to_newest 336132 0 oliver 2011-01-18 15:08:15 -0800 tryItOut("\"use strict\";h();/**/function h(){(0)}(3);function __proto__(){/j/}\"\"") Adding function labelled __proto__ triggers a changed prototype transition, which converts the structure into a non-dictionary type, leading to badness. I'm inclined to simply disallow __proto__ as a variable or function declaration inside eval code. 336264 1 barraclough 2011-01-18 18:11:43 -0800 We should pop up an alert scolding anyone for running code that redefines __proto__. I'd support disallowing __proto__as a variable or function name in eval code, but it could seem a little arbitrary. Personally I'd go so far as to disallow it everywhere. 336681 2 79458 oliver 2011-01-19 11:54:57 -0800 Created attachment 79458 Patch 336695 3 oliver 2011-01-19 12:19:27 -0800 Committed r76148: <http://trac.webkit.org/changeset/76148> 79458 2011-01-19 11:54:57 -0800 2011-01-19 12:01:19 -0800 Patch bug-52672-20110119115456.patch text/plain 4152 oliver ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCAyMzgyMTc5MWQyMjU4NTljZWU0MGEzYTQ5ZWZlZjU5NGNlOWI1NTk1Li5lYTFkMzNl YjliYmFmYTg1YzIwMGYxNzEyMDVjYmQ5NDY2YTk0Y2YzIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAK KzIwMTEtMDEtMTkgIE9saXZlciBIdW50ICA8b2xpdmVyQGFwcGxlLmNvbT4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBbanNmdW5mdXp6XSBEZWZpbmlu ZyBhIGZ1bmN0aW9uIGNhbGxlZCBfX3Byb3RvX18gaW5zaWRlIGFuIGV2YWwgdHJpZ2dlcnMgYW4g YXNzZXJ0aW9uCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD01MjY3MgorCisgICAgICAgIEFkZCB0ZXN0cyB0byBlbnN1cmUgdGhhdCB3ZSBkaXNhbGxvdyBf X3Byb3RvX18gYXMgYSBmdW5jdGlvbiBuYW1lLgorCisgICAgICAgICogZmFzdC9qcy9wYXJzZXIt c3ludGF4LWNoZWNrLWV4cGVjdGVkLnR4dDoKKyAgICAgICAgKiBmYXN0L2pzL3NjcmlwdC10ZXN0 cy9wYXJzZXItc3ludGF4LWNoZWNrLmpzOgorCiAyMDExLTAxLTE5ICBDaGFuZyBTaHUgIDxjaGFu Zy5zaHVAbm9raWEuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgpkaWZm IC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC9qcy9wYXJzZXItc3ludGF4LWNoZWNrLWV4cGVjdGVk LnR4dCBiL0xheW91dFRlc3RzL2Zhc3QvanMvcGFyc2VyLXN5bnRheC1jaGVjay1leHBlY3RlZC50 eHQKaW5kZXggZWY2NzY0ZDVmODYxMjE4NGMzNDU1YzNhNjczNDAyOTQ1N2U2NjhmMS4uZWQ3MWQw YjYwNzM5MGVkNzQwMDc4YWRkNzAzOGE1YzE3NWJjOWQyYiAxMDA2NDQKLS0tIGEvTGF5b3V0VGVz dHMvZmFzdC9qcy9wYXJzZXItc3ludGF4LWNoZWNrLWV4cGVjdGVkLnR4dAorKysgYi9MYXlvdXRU ZXN0cy9mYXN0L2pzL3BhcnNlci1zeW50YXgtY2hlY2stZXhwZWN0ZWQudHh0CkBAIC01NDEsNiAr NTQxLDE0IEBAIFBBU1MgSW52YWxpZDogImZvcih2YXIgYSxiICd0aGlzIHNob3VsZG4ndCBiZSBh bGxvd2VkJyBmYWxzZSA7ICkgOyIKIFBBU1MgSW52YWxpZDogImZ1bmN0aW9uIGYoKSB7IGZvcih2 YXIgYSxiICd0aGlzIHNob3VsZG4ndCBiZSBhbGxvd2VkJyBmYWxzZSA7ICkgOyB9IgogUEFTUyBJ bnZhbGlkOiAiZm9yKHZhciBhLGIgJyIKIFBBU1MgSW52YWxpZDogImZ1bmN0aW9uIGYoKSB7IGZv cih2YXIgYSxiICcgfSIKK1BBU1MgSW52YWxpZDogImZ1bmN0aW9uIF9fcHJvdG9fXygpe30iCitQ QVNTIEludmFsaWQ6ICJmdW5jdGlvbiBmKCkgeyBmdW5jdGlvbiBfX3Byb3RvX18oKXt9IH0iCitQ QVNTIEludmFsaWQ6ICIoZnVuY3Rpb24gX19wcm90b19fKCl7fSkiCitQQVNTIEludmFsaWQ6ICJm dW5jdGlvbiBmKCkgeyAoZnVuY3Rpb24gX19wcm90b19fKCl7fSkgfSIKK1BBU1MgSW52YWxpZDog Iid1c2Ugc3RyaWN0JzsgZnVuY3Rpb24gX19wcm90b19fKCl7fSIKK1BBU1MgSW52YWxpZDogImZ1 bmN0aW9uIGYoKSB7ICd1c2Ugc3RyaWN0JzsgZnVuY3Rpb24gX19wcm90b19fKCl7fSB9IgorUEFT UyBJbnZhbGlkOiAiJ3VzZSBzdHJpY3QnOyAoZnVuY3Rpb24gX19wcm90b19fKCl7fSkiCitQQVNT IEludmFsaWQ6ICJmdW5jdGlvbiBmKCkgeyAndXNlIHN0cmljdCc7IChmdW5jdGlvbiBfX3Byb3Rv X18oKXt9KSB9IgogUEFTUyBzdWNjZXNzZnVsbHlQYXJzZWQgaXMgdHJ1ZQogCiBURVNUIENPTVBM RVRFCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0L2pzL3NjcmlwdC10ZXN0cy9wYXJzZXIt c3ludGF4LWNoZWNrLmpzIGIvTGF5b3V0VGVzdHMvZmFzdC9qcy9zY3JpcHQtdGVzdHMvcGFyc2Vy LXN5bnRheC1jaGVjay5qcwppbmRleCA0NDI0ZTUwMWU5MDViZjhmZDNmMjBkNjdhZWRjMzVkZDgy MDkzZjNjLi42MTQ1NWFjMjUyMjc4ZTZlYTRjYjM5ODRhNzUxNTlkZjNhZTI1ZDViIDEwMDY0NAot LS0gYS9MYXlvdXRUZXN0cy9mYXN0L2pzL3NjcmlwdC10ZXN0cy9wYXJzZXItc3ludGF4LWNoZWNr LmpzCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvanMvc2NyaXB0LXRlc3RzL3BhcnNlci1zeW50YXgt Y2hlY2suanMKQEAgLTM0Niw0ICszNDYsOSBAQCBpbnZhbGlkKCJMOiBMMTogTDI6IEwzOiBMNDog TDogOyIpOwogaW52YWxpZCgiZm9yKHZhciBhLGIgJ3RoaXMgc2hvdWxkblwndCBiZSBhbGxvd2Vk JyBmYWxzZSA7ICkgOyIpOwogaW52YWxpZCgiZm9yKHZhciBhLGIgJyIpOwogCitpbnZhbGlkKCJm dW5jdGlvbiBfX3Byb3RvX18oKXt9IikKK2ludmFsaWQoIihmdW5jdGlvbiBfX3Byb3RvX18oKXt9 KSIpCitpbnZhbGlkKCIndXNlIHN0cmljdCc7IGZ1bmN0aW9uIF9fcHJvdG9fXygpe30iKQoraW52 YWxpZCgiJ3VzZSBzdHJpY3QnOyAoZnVuY3Rpb24gX19wcm90b19fKCl7fSkiKQorCiB2YXIgc3Vj Y2Vzc2Z1bGx5UGFyc2VkID0gdHJ1ZTsKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29y ZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4IDRhYmU3 ZTEzMzc1ZWUxMzcxYzY4MzlhNjFlZDcyYjRmNGMwYzhlMDAuLjdkMzg2NjZiZTk1NTgwODUxNjlm YWUzZDVhNDRlZjM0MmMzZWM4N2UgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9D aGFuZ2VMb2cKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsx LDE3IEBACisyMDExLTAxLTE5ICBPbGl2ZXIgSHVudCAgPG9saXZlckBhcHBsZS5jb20+CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgW2pzZnVuZnV6el0g RGVmaW5pbmcgYSBmdW5jdGlvbiBjYWxsZWQgX19wcm90b19fIGluc2lkZSBhbiBldmFsIHRyaWdn ZXJzIGFuIGFzc2VydGlvbgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9NTI2NzIKKworICAgICAgICBSYXRoZXIgdGhhbiBjb21pbmcgdXAgd2l0aCBhIHNv bWV3aGF0IGNvbnZvbHV0ZWQgbWVjaGFuaXNtIHRvIGVuc3VyZSB0aGF0CisgICAgICAgIGRldmVs b3BlcnMgY2FuIG92ZXJyaWRlIHRoZSBnbG9iYWwgb2JqZWN0cyBwcm90b3R5cGUgd2l0aCBhIGZ1 bmN0aW9uIG5hbWVkCisgICAgICAgIF9fcHJvdG9fXyBhbmQgZXhwZWN0IGl0IHRvIHdvcmssIHdl IGp1c3QgZGlzYWxsb3cgaXQgYXQgdGhlIHN5bnRheCBsZXZlbC4KKworICAgICAgICAqIHBhcnNl ci9KU1BhcnNlci5jcHA6CisgICAgICAgIChKU0M6OkpTUGFyc2VyOjpwYXJzZUZ1bmN0aW9uSW5m byk6CisKIDIwMTEtMDEtMTkgIE1pY2hhZWwgU2Fib2ZmICA8bXNhYm9mZkBhcHBsZS5jb20+CiAK ICAgICAgICAgUmV2aWV3ZWQgYnkgRGFyaW4gQWRsZXIuCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2 YVNjcmlwdENvcmUvcGFyc2VyL0pTUGFyc2VyLmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9w YXJzZXIvSlNQYXJzZXIuY3BwCmluZGV4IDM3YjdmOTBmNjgyMzBlMjRlN2I2YzU4ZjA3ZWZmNTgw YWMzOGEzMGIuLjFmZjUwOTA4MjZiMWY4MDM3ODQ3ZjA4NjY0ZjQxZTA3ZGQ1MGFkMzYgMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9wYXJzZXIvSlNQYXJzZXIuY3BwCisrKyBiL1Nv dXJjZS9KYXZhU2NyaXB0Q29yZS9wYXJzZXIvSlNQYXJzZXIuY3BwCkBAIC0xMjIzLDYgKzEyMjMs NyBAQCB0ZW1wbGF0ZSA8SlNQYXJzZXI6OkZ1bmN0aW9uUmVxdWlyZW1lbnRzIHJlcXVpcmVtZW50 cywgYm9vbCBuYW1lSXNJbkNvbnRhaW5pbmdTYwogICAgIGZ1bmN0aW9uU2NvcGUtPnNldElzRnVu Y3Rpb24oKTsKICAgICBpZiAobWF0Y2goSURFTlQpKSB7CiAgICAgICAgIG5hbWUgPSBtX3Rva2Vu Lm1fZGF0YS5pZGVudDsKKyAgICAgICAgZmFpbElmVHJ1ZSgqbmFtZSA9PSBtX2dsb2JhbERhdGEt PnByb3BlcnR5TmFtZXMtPnVuZGVyc2NvcmVQcm90byk7CiAgICAgICAgIG5leHQoKTsKICAgICAg ICAgaWYgKCFuYW1lSXNJbkNvbnRhaW5pbmdTY29wZSkKICAgICAgICAgICAgIGZhaWxJZkZhbHNl SWZTdHJpY3QoZnVuY3Rpb25TY29wZS0+ZGVjbGFyZVZhcmlhYmxlKG5hbWUpKTsK