Bug 1858622 - Freeze/seal more JS standard classes in freezeBuiltins realms. r=mgaudet

We did this for Object/Array/Function for security reasons in bug 1771084, but we can extend this to other builtins. Differential Revision: https://phabricator.services.mozilla.com/D190762
2024-11-23 12:51:06 +00:00 · 2023-10-13 09:53:29 +00:00 · 2023-10-13 09:53:29 +00:00 · 3198f78df5
commit 3198f78df5
parent d1c339538c
2 changed files with 21 additions and 7 deletions
--- a/js/src/jit-test/tests/basic/freeze-builtins.js
+++ b/js/src/jit-test/tests/basic/freeze-builtins.js
@ -19,3 +19,20 @@ g.evaluate("" + function checkFrozen(name) {
 g.checkFrozen("Object");
 g.checkFrozen("Array");
 g.checkFrozen("Function");
+
+g.checkFrozen("ArrayBuffer");
+g.checkFrozen("Int32Array");
+g.checkFrozen("Number");
+g.checkFrozen("String");
+g.checkFrozen("Date");
+g.checkFrozen("Proxy");
+g.checkFrozen("Promise");
+g.checkFrozen("RegExp");
+g.checkFrozen("Map");
+g.checkFrozen("WeakMap");
+g.checkFrozen("WeakRef");
+g.checkFrozen("Error");
+g.checkFrozen("TypeError");
+
+g.checkFrozen("JSON");
+g.checkFrozen("Math");
--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@ -231,14 +231,11 @@ bool GlobalObject::skipDeselectedConstructor(JSContext* cx, JSProtoKey key) {
 }

 static bool ShouldFreezeBuiltin(JSProtoKey key) {
-  switch (key) {
-    case JSProto_Object:
-    case JSProto_Array:
-    case JSProto_Function:
-      return true;
-    default:
-      return false;
+  // We can't freeze Reflect because JS_InitReflectParse defines Reflect.parse.
+  if (key == JSProto_Reflect) {
+    return false;
  }
+  return true;
 }

 static unsigned GetAttrsForResolvedGlobal(GlobalObject* global,