Three checks are missing in Proxy internal methods

shvaikalesh · webkit-commit-queue · commit 79b967c00608 · 2019-07-25T02:09:42.000Z
https://bugs.webkit.org/show_bug.cgi?id=198630 Patch by Alexey Shvayka <shvaikalesh@gmail.com> on 2019-07-24 Reviewed by Darin Adler. JSTests: * stress/proxy-delete.js: Assert isExtensible is called in correct order. * test262/expectations.yaml: Mark 6 test cases as passing. Source/JavaScriptCore: Add three missing checks in Proxy internal methods. These checks are necessary to maintain the invariants of the essential internal methods. (tc39/ecma262#666) 1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable. 2. [[Delete]] should return `false` when the target has property and is not extensible. 3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable. Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69) Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919 * runtime/ProxyObject.cpp: (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check. (JSC::ProxyObject::performDelete): Add extensibility check. (JSC::ProxyObject::performDefineOwnProperty): Add writability check. Canonical link: https://commits.webkit.org/213935@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247811 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Three checks are missing in Proxy internal methods
+        https://bugs.webkit.org/show_bug.cgi?id=198630
+
+        Reviewed by Darin Adler.
+
+        * stress/proxy-delete.js: Assert isExtensible is called in correct order.
+        * test262/expectations.yaml: Mark 6 test cases as passing.
+
 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
 
         Sometimes we miss removable CheckInBounds
diff --git a/JSTests/stress/proxy-delete.js b/JSTests/stress/proxy-delete.js
@@ -92,6 +92,47 @@ function assert(b) {
     }
 }
 
+{
+    let target = new Proxy({}, {
+        isExtensible: function() {
+            throw new Error("should not be called if [[GetOwnProperty]] returns undefined");
+        }
+    });
+    let proxy = new Proxy(target, {
+        deleteProperty: function() {
+            return true;
+        }
+    });
+    for (let i = 0; i < 500; i++) {
+        assert(delete proxy.nonExistentProperty);
+    }
+}
+
+{
+    let calls;
+    let target = new Proxy({}, {
+        getOwnPropertyDescriptor: function() {
+            calls.push('getOwnPropertyDescriptor');
+            return { configurable: true };
+        },
+        isExtensible: function() {
+            calls.push('isExtensible');
+            return true;
+        }
+    });
+    let proxy = new Proxy(target, {
+        deleteProperty: function() {
+            calls.push('trap');
+            return true;
+        }
+    });
+    for (let i = 0; i < 500; i++) {
+        calls = [];
+        assert(delete proxy.prop);
+        assert(calls.join() == 'trap,getOwnPropertyDescriptor,isExtensible');
+    }
+}
+
 {
     let target = {};
     let error = null;
diff --git a/JSTests/test262/expectations.yaml b/JSTests/test262/expectations.yaml
@@ -1345,15 +1345,6 @@ test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
 test/built-ins/Proxy/create-handler-is-revoked-proxy.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/Proxy/defineProperty/targetdesc-not-configurable-writable-desc-not-writable.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/Proxy/deleteProperty/targetdesc-is-configurable-target-is-not-extensible.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/Proxy/getOwnPropertyDescriptor/resultdesc-is-not-configurable-not-writable-targetdesc-is-writable.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
 test/built-ins/RegExp/named-groups/groups-object-subclass-sans.js:
   default: 'Test262Error: Expected SameValue(Â«bÂ», Â«$<a>Â») to be true'
   strict mode: 'Test262Error: Expected SameValue(Â«bÂ», Â«$<a>Â») to be true'
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,26 @@
+2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Three checks are missing in Proxy internal methods
+        https://bugs.webkit.org/show_bug.cgi?id=198630
+
+        Reviewed by Darin Adler.
+
+        Add three missing checks in Proxy internal methods.
+        These checks are necessary to maintain the invariants of the essential internal methods.
+        (https://github.com/tc39/ecma262/pull/666)
+
+        1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable.
+        2. [[Delete]] should return `false` when the target has property and is not extensible.
+        3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable.
+
+        Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69)
+        Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919
+
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check.
+        (JSC::ProxyObject::performDelete): Add extensibility check.
+        (JSC::ProxyObject::performDefineOwnProperty): Add writability check.
+
 2019-07-24  Mark Lam  <mark.lam@apple.com>
 
         Remove some unused code.
diff --git a/Source/JavaScriptCore/runtime/ProxyObject.cpp b/Source/JavaScriptCore/runtime/ProxyObject.cpp
@@ -287,6 +287,10 @@ bool ProxyObject::performInternalMethodGetOwnProperty(ExecState* exec, PropertyN
             throwVMTypeError(exec, scope, "Result from 'getOwnPropertyDescriptor' can't be non-configurable when the 'target' doesn't have it as an own property or if it is a configurable own property on 'target'"_s);
             return false;
         }
+        if (trapResultAsDescriptor.writablePresent() && !trapResultAsDescriptor.writable() && targetPropertyDescriptor.writable()) {
+            throwVMTypeError(exec, scope, "Result from 'getOwnPropertyDescriptor' can't be non-configurable and non-writable when the target's property is writable"_s);
+            return false;
+        }
     }
 
     if (trapResultAsDescriptor.isAccessorDescriptor()) {
@@ -662,6 +666,12 @@ bool ProxyObject::performDelete(ExecState* exec, PropertyName propertyName, Defa
             throwVMTypeError(exec, scope, "Proxy handler's 'deleteProperty' method should return false when the target's property is not configurable"_s);
             return false;
         }
+        bool targetIsExtensible = target->isExtensible(exec);
+        RETURN_IF_EXCEPTION(scope, false);
+        if (!targetIsExtensible) {
+            throwVMTypeError(exec, scope, "Proxy handler's 'deleteProperty' method should return false when the target has property and is not extensible"_s);
+            return false;
+        }
     }
 
     RETURN_IF_EXCEPTION(scope, false);
@@ -886,6 +896,12 @@ bool ProxyObject::performDefineOwnProperty(ExecState* exec, PropertyName propert
         throwVMTypeError(exec, scope, "Proxy's 'defineProperty' trap did not define a non-configurable property on its target even though the input descriptor to the trap said it must do so"_s);
         return false;
     }
+    if (targetDescriptor.isDataDescriptor() && !targetDescriptor.configurable() && targetDescriptor.writable()) {
+        if (descriptor.writablePresent() && !descriptor.writable()) {
+            throwTypeError(exec, scope, "Proxy's 'defineProperty' trap returned true for a non-writable input descriptor when the target's property is non-configurable and writable"_s);
+            return false;
+        }
+    }
     
     return true;
 }

Original file line number	Diff line number	Diff line change
`@@ -287,6 +287,10 @@ bool ProxyObject::performInternalMethodGetOwnProperty(ExecState* exec, PropertyN`
`287`	`287`	`throwVMTypeError(exec, scope, "Result from 'getOwnPropertyDescriptor' can't be non-configurable when the 'target' doesn't have it as an own property or if it is a configurable own property on 'target'"_s);`
`288`	`288`	`return false;`
`289`	`289`	`}`
	`290`	`+ if (trapResultAsDescriptor.writablePresent() && !trapResultAsDescriptor.writable() && targetPropertyDescriptor.writable()) {`
	`291`	`+ throwVMTypeError(exec, scope, "Result from 'getOwnPropertyDescriptor' can't be non-configurable and non-writable when the target's property is writable"_s);`
	`292`	`+ return false;`
	`293`	`+ }`
`290`	`294`	`}`
`291`	`295`
`292`	`296`	`if (trapResultAsDescriptor.isAccessorDescriptor()) {`
`@@ -662,6 +666,12 @@ bool ProxyObject::performDelete(ExecState* exec, PropertyName propertyName, Defa`
`662`	`666`	`throwVMTypeError(exec, scope, "Proxy handler's 'deleteProperty' method should return false when the target's property is not configurable"_s);`
`663`	`667`	`return false;`
`664`	`668`	`}`
	`669`	`+ bool targetIsExtensible = target->isExtensible(exec);`
	`670`	`+ RETURN_IF_EXCEPTION(scope, false);`
	`671`	`+ if (!targetIsExtensible) {`
	`672`	`+ throwVMTypeError(exec, scope, "Proxy handler's 'deleteProperty' method should return false when the target has property and is not extensible"_s);`
	`673`	`+ return false;`
	`674`	`+ }`
`665`	`675`	`}`
`666`	`676`
`667`	`677`	`RETURN_IF_EXCEPTION(scope, false);`
`@@ -886,6 +896,12 @@ bool ProxyObject::performDefineOwnProperty(ExecState* exec, PropertyName propert`
`886`	`896`	`throwVMTypeError(exec, scope, "Proxy's 'defineProperty' trap did not define a non-configurable property on its target even though the input descriptor to the trap said it must do so"_s);`
`887`	`897`	`return false;`
`888`	`898`	`}`
	`899`	`+ if (targetDescriptor.isDataDescriptor() && !targetDescriptor.configurable() && targetDescriptor.writable()) {`
	`900`	`+ if (descriptor.writablePresent() && !descriptor.writable()) {`
	`901`	`+ throwTypeError(exec, scope, "Proxy's 'defineProperty' trap returned true for a non-writable input descriptor when the target's property is non-configurable and writable"_s);`
	`902`	`+ return false;`
	`903`	`+ }`
	`904`	`+ }`
`889`	`905`
`890`	`906`	`return true;`
`891`	`907`	`}`