wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Do not innerize an object assigned to __proto__ or used as the target of a with statement. Bug 719841, r=mrbkap.

Browse Source
This commit is contained in:
Bobby Holley ext:(%2C%20Jason%20Orendorff%20%3Cjorendorff%40mozilla.com%3E) 2012-01-27 14:16:27 -06:00
parent 957d0ea231
commit 67533cf65a
4 changed files with 9 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
js/src/jsinfer.cpp
View File

@ -5669,6 +5669,9 @@ JSObject::splicePrototype(JSContext *cx, JSObject *proto)
*/ */
JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType()); JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType());
/* Inner objects may not appear on prototype chains. */
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
/* /*
* Force type instantiation when splicing lazy types. This may fail, * Force type instantiation when splicing lazy types. This may fail,
* in which case inference will be disabled for the compartment. * in which case inference will be disabled for the compartment.

3
js/src/jsinferinlines.h
View File

@ -1159,6 +1159,9 @@ inline TypeObject::TypeObject(JSObject *proto, bool function, bool unknown)
{ {
PodZero(this); PodZero(this);
/* Inner objects may not appear on prototype chains. */
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
this->proto = proto; this->proto = proto;
if (function) if (function)

4
js/src/jsinterp.cpp
View File

@ -1014,10 +1014,6 @@ EnterWith(JSContext *cx, jsint stackIndex)
if (!parent) if (!parent)
return JS_FALSE; return JS_FALSE;
OBJ_TO_INNER_OBJECT(cx, obj);
if (!obj)
return JS_FALSE;
JSObject *withobj = WithObject::create(cx, fp, *obj, *parent, JSObject *withobj = WithObject::create(cx, fp, *obj, *parent,
sp + stackIndex - fp->base()); sp + stackIndex - fp->base());
if (!withobj) if (!withobj)

17
js/src/jsobj.cpp
View File

@ -186,26 +186,15 @@ obj_setProto(JSContext *cx, JSObject *obj, jsid id, JSBool strict, Value *vp)
} }
if (!vp->isObjectOrNull()) if (!vp->isObjectOrNull())
return JS_TRUE; return true;
JSObject *pobj = vp->toObjectOrNull(); JSObject *pobj = vp->toObjectOrNull();
if (pobj) {
/*
* Innerize pobj here to avoid sticking unwanted properties on the
* outer object. This ensures that any with statements only grant
* access to the inner object.
*/
OBJ_TO_INNER_OBJECT(cx, pobj);
if (!pobj)
return JS_FALSE;
}
uintN attrs; uintN attrs;
id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom); id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs)) if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
return JS_FALSE; return false;
return SetProto(cx, obj, pobj, JS_TRUE); return SetProto(cx, obj, pobj, true);
} }
#else /* !JS_HAS_OBJ_PROTO_PROP */ #else /* !JS_HAS_OBJ_PROTO_PROP */