Bug 1449540 - Allow modification of ArrayBuffer's __proto__. r=jorendorff
authorAshley Hauck <khyperia@mozilla.com>
Wed, 22 Aug 2018 09:33:00 -0400
changeset 481207 145d39cf7ff287c256837ba3104d633df14b6eaf
parent 481206 e68b064f46b923537160bf4b779edc1396cdf3b5
child 481208 40ee8078a913d4377527f577151433218fef8bb8
push id232
push userfmarier@mozilla.com
push dateWed, 05 Sep 2018 20:45:54 +0000
reviewersjorendorff
bugs1449540
milestone63.0a1
Bug 1449540 - Allow modification of ArrayBuffer's __proto__. r=jorendorff
js/src/jit-test/tests/auto-regress/bug666599.js
js/src/tests/non262/Proxy/regress-bug950407.js
js/src/tests/non262/regress/regress-665355.js
js/src/vm/JSObject.cpp
--- a/js/src/jit-test/tests/auto-regress/bug666599.js
+++ b/js/src/jit-test/tests/auto-regress/bug666599.js
@@ -1,10 +1,8 @@
-// |jit-test| error:TypeError
-
 // Binary: cache/js-dbg-32-0428dbdf3d58-linux
 // Flags:
 //
 o1 = new Float32Array().buffer
 o2 = ArrayBuffer.prototype
 o3 = new Uint32Array().buffer
 for (i = 0; i < 2; i++) {
     for (var x in o2) {
--- a/js/src/tests/non262/Proxy/regress-bug950407.js
+++ b/js/src/tests/non262/Proxy/regress-bug950407.js
@@ -1,11 +1,7 @@
 var ab = new ArrayBuffer(5);
 var p = new Proxy(ab, {});
 var ps = Object.getOwnPropertyDescriptor(Object.prototype, "__proto__").set;
-var threw = 0;
-try {
-    ps.call(p, {});
-} catch(ex) {
-    threw = 1;
-}
+var new_proto = {};
+ps.call(p, new_proto);
 
-reportCompare(1, threw, "Setting __proto__ on a proxy to an ArrayBuffer must throw.");
+reportCompare(ab.__proto__, new_proto);
--- a/js/src/tests/non262/regress/regress-665355.js
+++ b/js/src/tests/non262/regress/regress-665355.js
@@ -4,13 +4,16 @@ var test = function(newProto) {
 try {
     x.__proto__ = newProto;
     return false;
 } catch(e) {
     return true;
 }
 }
 
+// assert cycle doesn't work
 assertEq(test(x), true);
-assertEq(test({}), true);
-assertEq(test(null), true);
+
+// works
+assertEq(test({}), false);
+assertEq(test(null), false);
 
 reportCompare(true, true);
--- a/js/src/vm/JSObject.cpp
+++ b/js/src/vm/JSObject.cpp
@@ -2679,27 +2679,16 @@ js::SetPrototype(JSContext* cx, HandleOb
     if (proto == obj->staticPrototype())
         return result.succeed();
 
     /* Disallow mutation of immutable [[Prototype]]s. */
     if (obj->staticPrototypeIsImmutable())
         return result.fail(JSMSG_CANT_SET_PROTO);
 
     /*
-     * Disallow mutating the [[Prototype]] on ArrayBuffer objects, which
-     * due to their complicated delegate-object shenanigans can't easily
-     * have a mutable [[Prototype]].
-     */
-    if (obj->is<ArrayBufferObject>()) {
-        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_CANT_SET_PROTO_OF,
-                                  "incompatible ArrayBuffer");
-        return false;
-    }
-
-    /*
      * Disallow mutating the [[Prototype]] on Typed Objects, per the spec.
      */
     if (obj->is<TypedObject>()) {
         JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_CANT_SET_PROTO_OF,
                                   "incompatible TypedObject");
         return false;
     }