corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Bug 957688 - Remove side-effect-free calls to js::CheckAccess. r=mrbkap

Browse Source 
js::CheckAccess has all sorts of crazy side-effects on its parameters. Luckily,
they mostly happen on dead values.

We have to alter a jit-test that previously threw, and doesn't anymore. I have
confirmed that the reason for throwing was not the security check itself, but
rather the lookupGeneric call that happens inside js::CheckAccess, which ends
up throwing 'undefined is not a function'. It seems like this is just an issue
of calling lookupGeneric when we shouldn't, and that the correct behavior here
is not to throw.
This commit is contained in:
Bobby Holley
2014-01-24 16:08:24 -08:00
parent 5125586310
commit c3cd15a3a3
5 changed files with 2 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
js/src/jsobj.cpp
View File

@@ -583,15 +583,6 @@ DefinePropertyOnObject(JSContext *cx, HandleObject obj, HandleId id, const PropD
JS_ASSERT(desc.isAccessorDescriptor());
/*
* Getters and setters are just like watchpoints from an access
* control point of view.
*/
RootedValue dummy(cx);
unsigned dummyAttrs;
if (!CheckAccess(cx, obj, id, JSACC_WATCH, &dummy, &dummyAttrs))
return false;
RootedValue tmp(cx, UndefinedValue());
return baseops::DefineGeneric(cx, obj, id, tmp,
desc.getter(), desc.setter(), desc.attributes());
@@ -815,14 +806,6 @@ DefinePropertyOnObject(JSContext *cx, HandleObject obj, HandleId id, const PropD
} else {
JS_ASSERT(desc.isAccessorDescriptor());
/*
* Getters and setters are just like watchpoints from an access
* control point of view.
*/
RootedValue dummy(cx);
if (!CheckAccess(cx, obj2, id, JSACC_WATCH, &dummy, &attrs))
return false;
/* 8.12.9 step 12. */
unsigned changed = 0;
if (desc.hasConfigurable())
@@ -5253,15 +5236,6 @@ bool
js::WatchGuts(JSContext *cx, JS::HandleObject origObj, JS::HandleId id, JS::HandleObject callable)
{
RootedObject obj(cx, GetInnerObject(cx, origObj));
if (origObj != obj) {
// If by unwrapping and innerizing, we changed the object, check again
// to make sure that we're allowed to set a watch point.
RootedValue v(cx);
unsigned attrs;
if (!CheckAccess(cx, obj, id, JSACC_WATCH, &v, &attrs))
return false;
}
if (obj->isNative()) {
// Use sparse indexes for watched objects, as dense elements can be
// written to without checking the watchpoint map.