зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1283448 - Freeze module objects before they are passed back to the caller r=shu
This commit is contained in:
Родитель
30cb0bf87f
Коммит
82ee97156b
|
@ -722,36 +722,46 @@ FreezeObjectProperty(JSContext* cx, HandleNativeObject obj, uint32_t slot)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* static */ bool
|
/* static */ bool
|
||||||
ModuleObject::FreezeArrayProperties(JSContext* cx, HandleModuleObject self)
|
ModuleObject::Freeze(JSContext* cx, HandleModuleObject self)
|
||||||
{
|
{
|
||||||
return FreezeObjectProperty(cx, self, RequestedModulesSlot) &&
|
return FreezeObjectProperty(cx, self, RequestedModulesSlot) &&
|
||||||
FreezeObjectProperty(cx, self, ImportEntriesSlot) &&
|
FreezeObjectProperty(cx, self, ImportEntriesSlot) &&
|
||||||
FreezeObjectProperty(cx, self, LocalExportEntriesSlot) &&
|
FreezeObjectProperty(cx, self, LocalExportEntriesSlot) &&
|
||||||
FreezeObjectProperty(cx, self, IndirectExportEntriesSlot) &&
|
FreezeObjectProperty(cx, self, IndirectExportEntriesSlot) &&
|
||||||
FreezeObjectProperty(cx, self, StarExportEntriesSlot);
|
FreezeObjectProperty(cx, self, StarExportEntriesSlot) &&
|
||||||
|
FreezeObject(cx, self);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void
|
|
||||||
AssertObjectPropertyFrozen(JSContext* cx, HandleNativeObject obj, uint32_t slot)
|
|
||||||
{
|
|
||||||
#ifdef DEBUG
|
#ifdef DEBUG
|
||||||
|
|
||||||
|
static inline bool
|
||||||
|
IsObjectFrozen(JSContext* cx, HandleObject obj)
|
||||||
|
{
|
||||||
bool frozen = false;
|
bool frozen = false;
|
||||||
RootedObject property(cx, &obj->getSlot(slot).toObject());
|
MOZ_ALWAYS_TRUE(TestIntegrityLevel(cx, obj, IntegrityLevel::Frozen, &frozen));
|
||||||
MOZ_ALWAYS_TRUE(TestIntegrityLevel(cx, property, IntegrityLevel::Frozen, &frozen));
|
return frozen;
|
||||||
MOZ_ASSERT(frozen);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* static */ inline void
|
static inline bool
|
||||||
ModuleObject::AssertArrayPropertiesFrozen(JSContext* cx, HandleModuleObject self)
|
IsObjectPropertyFrozen(JSContext* cx, HandleNativeObject obj, uint32_t slot)
|
||||||
{
|
{
|
||||||
AssertObjectPropertyFrozen(cx, self, RequestedModulesSlot);
|
RootedObject property(cx, &obj->getSlot(slot).toObject());
|
||||||
AssertObjectPropertyFrozen(cx, self, ImportEntriesSlot);
|
return IsObjectFrozen(cx, property);
|
||||||
AssertObjectPropertyFrozen(cx, self, LocalExportEntriesSlot);
|
|
||||||
AssertObjectPropertyFrozen(cx, self, IndirectExportEntriesSlot);
|
|
||||||
AssertObjectPropertyFrozen(cx, self, StarExportEntriesSlot);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* static */ inline bool
|
||||||
|
ModuleObject::IsFrozen(JSContext* cx, HandleModuleObject self)
|
||||||
|
{
|
||||||
|
return IsObjectPropertyFrozen(cx, self, RequestedModulesSlot) &&
|
||||||
|
IsObjectPropertyFrozen(cx, self, ImportEntriesSlot) &&
|
||||||
|
IsObjectPropertyFrozen(cx, self, LocalExportEntriesSlot) &&
|
||||||
|
IsObjectPropertyFrozen(cx, self, IndirectExportEntriesSlot) &&
|
||||||
|
IsObjectPropertyFrozen(cx, self, StarExportEntriesSlot) &&
|
||||||
|
IsObjectFrozen(cx, self);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
inline static void
|
inline static void
|
||||||
AssertModuleScopesMatch(ModuleObject* module)
|
AssertModuleScopesMatch(ModuleObject* module)
|
||||||
{
|
{
|
||||||
|
@ -858,7 +868,7 @@ ModuleObject::noteFunctionDeclaration(ExclusiveContext* cx, HandleAtom name, Han
|
||||||
/* static */ bool
|
/* static */ bool
|
||||||
ModuleObject::instantiateFunctionDeclarations(JSContext* cx, HandleModuleObject self)
|
ModuleObject::instantiateFunctionDeclarations(JSContext* cx, HandleModuleObject self)
|
||||||
{
|
{
|
||||||
AssertArrayPropertiesFrozen(cx, self);
|
MOZ_ASSERT(IsFrozen(cx, self));
|
||||||
|
|
||||||
FunctionDeclarationVector* funDecls = self->functionDeclarations();
|
FunctionDeclarationVector* funDecls = self->functionDeclarations();
|
||||||
if (!funDecls) {
|
if (!funDecls) {
|
||||||
|
@ -896,7 +906,7 @@ ModuleObject::setEvaluated()
|
||||||
/* static */ bool
|
/* static */ bool
|
||||||
ModuleObject::evaluate(JSContext* cx, HandleModuleObject self, MutableHandleValue rval)
|
ModuleObject::evaluate(JSContext* cx, HandleModuleObject self, MutableHandleValue rval)
|
||||||
{
|
{
|
||||||
AssertArrayPropertiesFrozen(cx, self);
|
MOZ_ASSERT(IsFrozen(cx, self));
|
||||||
|
|
||||||
RootedScript script(cx, self->script());
|
RootedScript script(cx, self->script());
|
||||||
RootedModuleEnvironmentObject scope(cx, self->environment());
|
RootedModuleEnvironmentObject scope(cx, self->environment());
|
||||||
|
|
|
@ -236,8 +236,10 @@ class ModuleObject : public NativeObject
|
||||||
HandleArrayObject localExportEntries,
|
HandleArrayObject localExportEntries,
|
||||||
HandleArrayObject indiretExportEntries,
|
HandleArrayObject indiretExportEntries,
|
||||||
HandleArrayObject starExportEntries);
|
HandleArrayObject starExportEntries);
|
||||||
static bool FreezeArrayProperties(JSContext* cx, HandleModuleObject self);
|
static bool Freeze(JSContext* cx, HandleModuleObject self);
|
||||||
static void AssertArrayPropertiesFrozen(JSContext* cx, HandleModuleObject self);
|
#ifdef DEBUG
|
||||||
|
static bool IsFrozen(JSContext* cx, HandleModuleObject self);
|
||||||
|
#endif
|
||||||
void fixScopesAfterCompartmentMerge(JSContext* cx);
|
void fixScopesAfterCompartmentMerge(JSContext* cx);
|
||||||
|
|
||||||
JSScript* script() const;
|
JSScript* script() const;
|
||||||
|
|
|
@ -801,7 +801,7 @@ frontend::CompileModule(JSContext* cx, const ReadOnlyCompileOptions& options,
|
||||||
|
|
||||||
// This happens in GlobalHelperThreadState::finishModuleParseTask() when a
|
// This happens in GlobalHelperThreadState::finishModuleParseTask() when a
|
||||||
// module is compiled off main thread.
|
// module is compiled off main thread.
|
||||||
if (!ModuleObject::FreezeArrayProperties(cx->asJSContext(), module))
|
if (!ModuleObject::Freeze(cx->asJSContext(), module))
|
||||||
return nullptr;
|
return nullptr;
|
||||||
|
|
||||||
return module;
|
return module;
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
// |jit-test| error: TypeError
|
||||||
|
|
||||||
|
let moduleRepo = {};
|
||||||
|
setModuleResolveHook(function(module, specifier) {
|
||||||
|
return moduleRepo[specifier];
|
||||||
|
});
|
||||||
|
let a = moduleRepo['a'] = parseModule("var x = 1; export { x };");
|
||||||
|
let b = moduleRepo['b'] = parseModule("import { x as y } from 'a';");
|
||||||
|
a.__proto__ = {15: 1337};
|
||||||
|
b.declarationInstantiation();
|
|
@ -1215,7 +1215,7 @@ GlobalHelperThreadState::finishModuleParseTask(JSContext* maybecx, JSRuntime* rt
|
||||||
JSContext* cx = maybecx;
|
JSContext* cx = maybecx;
|
||||||
RootedModuleObject module(cx, script->module());
|
RootedModuleObject module(cx, script->module());
|
||||||
module->fixScopesAfterCompartmentMerge(cx);
|
module->fixScopesAfterCompartmentMerge(cx);
|
||||||
if (!ModuleObject::FreezeArrayProperties(cx, module))
|
if (!ModuleObject::Freeze(cx, module))
|
||||||
return nullptr;
|
return nullptr;
|
||||||
|
|
||||||
return module;
|
return module;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче