REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
https://bugs.webkit.org/show_bug.cgi?id=142410
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
Before this patch, added function JSValue::toPropertyKey returns PropertyName.
Since PropertyName doesn't have AtomicStringImpl ownership,
if Identifier is implicitly converted to PropertyName and Identifier is destructed,
PropertyName may refer freed AtomicStringImpl*.
This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
to keep AtomicStringImpl* ownership after the toPropertyName call is done.
And receive the result value as Identifier type to keep ownership in the caller side.
To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
However, now we don't need to have both Identifier and PropertyName.
So we'll merge PropertyName to Identifier in the subsequent patch.
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* jit/JITOperations.cpp:
(JSC::getByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncPropertyIsEnumerable):
Source/WebCore:
The same issues are found in the existing code; PropertyName does not have ownership.
This patch rewrite the point that should have ownership to Identifier.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
(WebCore::JSDOMWindow::putByIndex):
* bindings/js/ReadableStreamJSSource.cpp:
(WebCore::getInternalSlotFromObject):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
(WebCore::JSTestCustomNamedGetter::getOwnPropertySlotByIndex):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::JSTestEventTarget::getOwnPropertySlotByIndex):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::putByIndex):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@181814 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index dd5e71c..02077c5 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -111,7 +111,7 @@
}
// Don't put to an object if toString throws an exception.
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
if (!vm->exception()) {
PutPropertySlot slot(baseValue, strict);
if (direct) {
@@ -296,7 +296,7 @@
}
}
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
return JSValue::encode(baseValue.get(exec, propertyName));
}
@@ -324,7 +324,7 @@
}
}
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
return JSValue::encode(JSValue(base).get(exec, propertyName));
}
