Bug 1021258 - Restore the __proto__ mutation warning for __proto__ sets. r=luke
authorBobby Holley <bobbyholley@gmail.com>
Fri, 06 Jun 2014 12:21:36 +0100
changeset 207394 31c707eb3a4b5e747521aadd1eade1284bb9a8e9
parent 207393 85aa4fe910e7d58a762348c368633dd105f1a21c
child 207395 7146e89a7b8333c76267d4d8fb40cc6cae552567
child 207504 d717efc44fd31b716e3b877c503d555f4a47aa7c
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1021258
milestone32.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1021258 - Restore the __proto__ mutation warning for __proto__ sets. r=luke
js/src/builtin/Object.cpp
js/xpconnect/tests/mochitest/mochitest.ini
js/xpconnect/tests/mochitest/test_bug1021258.html
--- a/js/src/builtin/Object.cpp
+++ b/js/src/builtin/Object.cpp
@@ -1058,16 +1058,24 @@ ProtoGetter(JSContext *cx, unsigned argc
 namespace js {
 size_t sSetProtoCalled = 0;
 }
 
 static bool
 ProtoSetter(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
+
+    // Do this here, rather than after the this-check so even likely-buggy
+    // use of the __proto__ setter on unacceptable values, where no subsequent
+    // use occurs on an acceptable value, will trigger a warning.
+    RootedObject callee(cx, &args.callee());
+    if (!GlobalObject::warnOnceAboutPrototypeMutation(cx, callee))
+       return false;
+
     HandleValue thisv = args.thisv();
     if (thisv.isNullOrUndefined()) {
         ReportIncompatible(cx, args);
         return false;
     }
     if (thisv.isPrimitive()) {
         // Mutating a boxed primitive's [[Prototype]] has no side effects.
         args.rval().setUndefined();
--- a/js/xpconnect/tests/mochitest/mochitest.ini
+++ b/js/xpconnect/tests/mochitest/mochitest.ini
@@ -86,15 +86,16 @@ support-files =
 [test_bug916945.html]
 [test_bug92773.html]
 [test_bug940783.html]
 [test_bug965082.html]
 [test_bug960820.html]
 [test_bug986542.html]
 [test_bug993423.html]
 [test_bug1005806.html]
+[test_bug1021258.html]
 [test_crosscompartment_weakmap.html]
 [test_frameWrapping.html]
 # The JS test component we use below is only available in debug builds.
 [test_getWebIDLCaller.html]
 skip-if = (debug == false || os == "android")
 [test_nac.xhtml]
 [test_sameOriginPolicy.html]
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/mochitest/test_bug1021258.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1021258
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1021258</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for proto mutation warnings. **/
+
+  SimpleTest.waitForExplicitFinish();
+  var gLoads = 0;
+  function loaded() {
+    switch (++gLoads) {
+      case 1:
+        info("First load");
+        SimpleTest.monitorConsole(function() { window[0].location.reload(true); },
+                                  [ { message: /mutating/ } ], /* forbidUnexpectedMessages = */ true);
+        window[0].eval('var foo = {}; Object.setPrototypeOf(foo, {});' +
+                       'var bar = {}; Object.getPrototypeOf(bar, {});');
+        SimpleTest.endMonitorConsole();
+        break;
+      case 2:
+        info("Second load");
+        SimpleTest.monitorConsole(SimpleTest.finish.bind(SimpleTest),
+                                  [ { message: /mutating/ } ], /* forbidUnexpectedMessages = */ true);
+        window[0].eval('var foo = {}; foo.__proto__ = {};' +
+                       'var bar = {}; bar.__proto__ = {};');
+        SimpleTest.endMonitorConsole();
+        break;
+      case 3:
+        ok(false, "Shouldn't have 3 loads!");
+    }
+  }
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1021258">Mozilla Bug 1021258</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+<iframe id="ifr" src="file_empty.html" onload="loaded();"></iframe>
+</body>
+</html>