Bug 1519142 - Handle cyclic [[Protototype]] chains in two places. r=jorendorff

Differential Revision: https://phabricator.services.mozilla.com/D16387 --HG-- extra : moz-landing-system : lando
2024-10-09 03:15:11 +00:00 · 2019-01-15 17:24:47 +00:00 · 2019-01-15 17:24:47 +00:00 · 1dc969f10b
commit 1dc969f10b
parent d263400b1c
4 changed files with 31 additions and 0 deletions
--- a/js/src/jit-test/tests/proxy/getPrototype-cycle-for-in.js
+++ b/js/src/jit-test/tests/proxy/getPrototype-cycle-for-in.js
@ -0,0 +1,12 @@
+// |jit-test| exitstatus: 6
+timeout(0.5);
+
+var proxy = new Proxy({}, {
+    getPrototypeOf() {
+        return proxy;
+    }
+});
+
+var obj = {a: 1, b: 2, __proto__: proxy};
+for (var x in obj) {}
+assertEq(0, 1); // Should timeout.
--- a/js/src/jit-test/tests/proxy/getPrototype-cycle-hasInstance.js
+++ b/js/src/jit-test/tests/proxy/getPrototype-cycle-hasInstance.js
@ -0,0 +1,11 @@
+// |jit-test| exitstatus: 6
+timeout(0.5)
+
+var proxy = new Proxy({}, {
+    getPrototypeOf() {
+        return proxy;
+    }
+});
+
+var x = proxy instanceof function() {};
+assertEq(0, 1); // Should timeout.
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@ -542,6 +542,10 @@ static bool Snapshot(JSContext* cx, HandleObject pobj_, unsigned flags,
      return false;
    }

+    // The [[Prototype]] chain might be cyclic.
+    if (!CheckForInterrupt(cx)) {
+      return false;
+    }
  } while (pobj != nullptr);

 #ifdef JS_MORE_DETERMINISTIC
--- a/js/src/vm/JSObject.cpp
+++ b/js/src/vm/JSObject.cpp
@ -3400,6 +3400,10 @@ bool js::IsPrototypeOf(JSContext* cx, HandleObject protoObj, JSObject* obj,
                       bool* result) {
  RootedObject obj2(cx, obj);
  for (;;) {
+    // The [[Prototype]] chain might be cyclic.
+    if (!CheckForInterrupt(cx)) {
+      return false;
+    }
    if (!GetPrototype(cx, obj2, &obj2)) {
      return false;
    }