Bug 873718 - Add a second argument to MakeConstructible, a value to be set as .prototype on the function. This ensures that .prototype is always an object, and that |new|ing the function will never invoke user-defined code trying to access the .prototype (and possibly hitting such a property along the prototype chain). r=till

--HG-- extra : rebase_source : 039448500590360f99e24350fdaa8da4c17f9487
2013-05-21 17:42:34 -07:00 · 2013-05-21 17:42:34 -07:00 · 902777362b
--- a/js/src/builtin/Utilities.js
+++ b/js/src/builtin/Utilities.js
@ -80,9 +80,8 @@ function List() {}
  ListProto.push = std_Array_push;
  ListProto.slice = std_Array_slice;
  ListProto.sort = std_Array_sort;
-  List.prototype = ListProto;
+  MakeConstructible(List, ListProto);
 }
-MakeConstructible(List);


 /********** Record specification type **********/
@ -92,7 +91,7 @@ MakeConstructible(List);
 function Record() {
    return std_Object_create(null);
 }
-MakeConstructible(Record);
+MakeConstructible(Record, {});


 /********** Abstract operations defined in ECMAScript Language Specification **********/
--- a/js/src/jit-test/tests/basic/construct-primitive-Function.prototype.prototype.js
+++ b/js/src/jit-test/tests/basic/construct-primitive-Function.prototype.prototype.js
@ -0,0 +1,5 @@
+Object.defineProperty(Function.prototype, "prototype", {
+  get: function() { throw 17; },
+  set: function() { throw 42; }
+});
+this.hasOwnProperty("Intl");
--- a/js/src/jit-test/tests/self-hosting/makeconstructible-function-inherited-prototype-property.js
+++ b/js/src/jit-test/tests/self-hosting/makeconstructible-function-inherited-prototype-property.js
@ -0,0 +1,3 @@
+var proxy = new Proxy({ get: function() { throw 42; } }, {});
+Function.prototype.__proto__ = proxy;
+this.hasOwnProperty("Intl");
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@ -140,10 +140,22 @@ static JSBool
 intrinsic_MakeConstructible(JSContext *cx, unsigned argc, Value *vp)
 {
    CallArgs args = CallArgsFromVp(argc, vp);
-    JS_ASSERT(args.length() >= 1);
+    JS_ASSERT(args.length() == 2);
    JS_ASSERT(args[0].isObject());
    JS_ASSERT(args[0].toObject().isFunction());
-    args[0].toObject().toFunction()->setIsSelfHostedConstructor();
+    JS_ASSERT(args[1].isObject());
+
+    // Normal .prototype properties aren't enumerable.  But for this to clone
+    // correctly, it must be enumerable.
+    RootedObject ctor(cx, &args[0].toObject());
+    if (!JSObject::defineProperty(cx, ctor, cx->names().classPrototype, args.handleAt(1),
+                                  JS_PropertyStub, JS_StrictPropertyStub,
+                                  JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT))
+    {
+        return false;
+    }
+
+    ctor->toFunction()->setIsSelfHostedConstructor();
    args.rval().setUndefined();
    return true;
 }