Fix prototype chain traversing (#4458)

After the introduction of the Proxy builtin object there was
a possibility to traverse the prototype chain with an invalid object.
The prototype was freed before it's data/properties were queried resulting
in accessing invalid information.

By forcing the allocator to always do a gc (`--mem-stres-test=on` build option)
it was possible to trigger the issue without complicated tests.

New internal method:
* `ecma_op_object_get_prototype_of` which always returns the prototype
  of an object and the return value must be freed (if it is valid).

Updated prototype chain traversing in:
* `jerry_object_get_property_names`
* `ecma_builtin_object_prototype_lookup_getter_setter`
* `ecma_op_function_has_instance`
* `ecma_op_function_get_super_constructor`
* `ecma_op_object_is_prototype_of`
* `ecma_op_object_enumerate`

Removed method `ecma_proxy_object_prototype_to_cp`

JerryScript-DCO-1.0-Signed-off-by: Peter Gal [email protected]

Author: galpeter

jerry-core/api/jerry.c

@@ -3884,6 +3884,8 @@ jerry_object_get_property_names (const jerry_value_t obj_val, /**< object */
   ecma_object_t *obj_iter_p = obj_p;
   ecma_collection_t *result_p = ecma_new_collection ();
 
+  ecma_ref_object (obj_iter_p);
+
   while (true)
   {
     /* Step 1. Get Object.[[OwnKeys]] */
@@ -3892,6 +3894,7 @@ jerry_object_get_property_names (const jerry_value_t obj_val, /**< object */
 #if ENABLED (JERRY_BUILTIN_PROXY)
     if (prop_names_p == NULL)
     {
+      ecma_deref_object (obj_iter_p);
       return jerry_throw (ECMA_VALUE_ERROR);
     }
 #endif /* ENABLED (JERRY_BUILTIN_PROXY) */
@@ -3942,6 +3945,7 @@ jerry_object_get_property_names (const jerry_value_t obj_val, /**< object */
         {
           ecma_collection_free (prop_names_p);
           ecma_collection_free (result_p);
+          ecma_deref_object (obj_iter_p);
           return jerry_throw (ECMA_VALUE_ERROR);
         }
 #endif /* ENABLED (JERRY_BUILTIN_PROXY) */
@@ -4008,38 +4012,32 @@ jerry_object_get_property_names (const jerry_value_t obj_val, /**< object */
     ecma_collection_free (prop_names_p);
 
     /* Step 4: Traverse prototype chain */
-    jmem_cpointer_t parent_cp = JMEM_CP_NULL;
 
-    if (filter & JERRY_PROPERTY_FILTER_TRAVERSE_PROTOTYPE_CHAIN)
+    if ((filter & JERRY_PROPERTY_FILTER_TRAVERSE_PROTOTYPE_CHAIN) != JERRY_PROPERTY_FILTER_TRAVERSE_PROTOTYPE_CHAIN)
     {
-#if ENABLED (JERRY_BUILTIN_PROXY)
-      if (ECMA_OBJECT_IS_PROXY (obj_iter_p))
-      {
-        ecma_value_t parent = ecma_proxy_object_get_prototype_of (obj_iter_p);
+      break;
+    }
 
-        if (ECMA_IS_VALUE_ERROR (parent))
-        {
-          ecma_collection_free (result_p);
-          return jerry_throw (ECMA_VALUE_ERROR);
-        }
+    ecma_object_t *proto_p = ecma_op_object_get_prototype_of (obj_iter_p);
 
-        parent_cp = ecma_proxy_object_prototype_to_cp (parent);
-      }
-      else
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
-      {
-        parent_cp = ecma_op_ordinary_object_get_prototype_of (obj_iter_p);
-      }
+    if (proto_p == NULL)
+    {
+      break;
     }
 
-    if (parent_cp == JMEM_CP_NULL)
+    ecma_deref_object (obj_iter_p);
+
+    if (JERRY_UNLIKELY (proto_p == ECMA_OBJECT_POINTER_ERROR))
     {
-      break;
+      ecma_collection_free (result_p);
+      return jerry_throw (ECMA_VALUE_ERROR);
     }
 
-    obj_iter_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, parent_cp);
+    obj_iter_p = proto_p;
   }
 
+  ecma_deref_object (obj_iter_p);
+
   return ecma_op_new_array_object_from_collection (result_p, false);
 } /* jerry_object_get_property_names */
 

jerry-core/ecma/builtin-objects/ecma-builtin-object-prototype.c

@@ -324,11 +324,10 @@ ecma_builtin_object_prototype_lookup_getter_setter (ecma_value_t this_arg, /**<
     return ECMA_VALUE_ERROR;
   }
 
-  jmem_cpointer_t obj_cp;
-  ECMA_SET_NON_NULL_POINTER (obj_cp, obj_p);
-
   ecma_value_t ret_value = ECMA_VALUE_UNDEFINED;
 
+  ecma_ref_object (obj_p);
+
   /* 3. */
   while (true)
   {
@@ -339,6 +338,7 @@ ecma_builtin_object_prototype_lookup_getter_setter (ecma_value_t this_arg, /**<
     if (ECMA_IS_VALUE_ERROR (get_desc))
     {
       ret_value = get_desc;
+      ecma_deref_object (obj_p);
       break;
     }
 
@@ -360,35 +360,26 @@ ecma_builtin_object_prototype_lookup_getter_setter (ecma_value_t this_arg, /**<
       }
 
       ecma_free_property_descriptor (&desc);
+      ecma_deref_object (obj_p);
       break;
     }
 
     /* 3.c */
-#if ENABLED (JERRY_BUILTIN_PROXY)
-    if (ECMA_OBJECT_IS_PROXY (obj_p))
-    {
-      ecma_value_t parent = ecma_proxy_object_get_prototype_of (obj_p);
-
-      if (ECMA_IS_VALUE_ERROR (parent))
-      {
-        ret_value = parent;
-        break;
-      }
+    ecma_object_t *proto_p = ecma_op_object_get_prototype_of (obj_p);
+    ecma_deref_object (obj_p);
 
-      obj_cp = ecma_proxy_object_prototype_to_cp (parent);
-    }
-    else
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
+    if (proto_p == NULL)
     {
-      obj_cp = ecma_op_ordinary_object_get_prototype_of (obj_p);
+      break;
     }
-
-    if (obj_cp == JMEM_CP_NULL)
+    else if (JERRY_UNLIKELY (proto_p == ECMA_OBJECT_POINTER_ERROR))
     {
+      ret_value = ECMA_VALUE_ERROR;
       break;
     }
 
-    obj_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, obj_cp);
+    /* Advance up on prototype chain. */
+    obj_p = proto_p;
   }
 
   ecma_free_value (to_obj);

jerry-core/ecma/operations/ecma-function-object.c

@@ -900,44 +900,34 @@ ecma_op_function_has_instance (ecma_object_t *func_obj_p, /**< Function object *
   ecma_value_t result = ECMA_VALUE_FALSE;
 #endif /* ENABLED (JERRY_BUILTIN_PROXY) */
 
+  ecma_ref_object (v_obj_p);
+
   while (true)
   {
-    jmem_cpointer_t v_obj_cp;
-#if ENABLED (JERRY_BUILTIN_PROXY)
-    if (ECMA_OBJECT_IS_PROXY (v_obj_p))
-    {
-      ecma_value_t parent = ecma_proxy_object_get_prototype_of (v_obj_p);
-
-      if (ECMA_IS_VALUE_ERROR (parent))
-      {
-        break;
-      }
+    ecma_object_t *current_proto_p = ecma_op_object_get_prototype_of (v_obj_p);
+    ecma_deref_object (v_obj_p);
 
-      v_obj_cp = ecma_proxy_object_prototype_to_cp (parent);
-    }
-    else
-    {
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
-      v_obj_cp = ecma_op_ordinary_object_get_prototype_of (v_obj_p);
-#if ENABLED (JERRY_BUILTIN_PROXY)
-    }
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
-
-    if (v_obj_cp == JMEM_CP_NULL)
+    if (current_proto_p == NULL)
     {
 #if ENABLED (JERRY_BUILTIN_PROXY)
       result = ECMA_VALUE_FALSE;
 #endif /* ENABLED (JERRY_BUILTIN_PROXY) */
       break;
     }
+    else if (current_proto_p == ECMA_OBJECT_POINTER_ERROR)
+    {
+      break;
+    }
 
-    v_obj_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, v_obj_cp);
-
-    if (v_obj_p == prototype_obj_p)
+    if (current_proto_p == prototype_obj_p)
     {
+      ecma_deref_object (current_proto_p);
       result = ECMA_VALUE_TRUE;
       break;
     }
+
+    /* Advance up on prototype chain. */
+    v_obj_p = current_proto_p;
   }
 
   ecma_deref_object (prototype_obj_p);
@@ -957,38 +947,13 @@ ecma_op_function_has_instance (ecma_object_t *func_obj_p, /**< Function object *
 ecma_value_t
 ecma_op_function_get_super_constructor (ecma_object_t *func_obj_p) /**< function object */
 {
-  ecma_object_t *super_ctor_p;
+  ecma_object_t *super_ctor_p = ecma_op_object_get_prototype_of (func_obj_p);
 
-#if ENABLED (JERRY_BUILTIN_PROXY)
-  if (ECMA_OBJECT_IS_PROXY (func_obj_p))
+  if (JERRY_UNLIKELY (super_ctor_p == ECMA_OBJECT_POINTER_ERROR))
   {
-    ecma_value_t super_ctor = ecma_proxy_object_get_prototype_of (func_obj_p);
-
-    if (ECMA_IS_VALUE_ERROR (super_ctor))
-    {
-      return super_ctor;
-    }
-
-    super_ctor_p = ecma_is_value_null (super_ctor) ? NULL : ecma_get_object_from_value (super_ctor);
-  }
-  else
-  {
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
-    jmem_cpointer_t proto_cp = ecma_op_ordinary_object_get_prototype_of (func_obj_p);
-    if (proto_cp == JMEM_CP_NULL)
-    {
-      super_ctor_p = NULL;
-    }
-    else
-    {
-      super_ctor_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, proto_cp);
-      ecma_ref_object (super_ctor_p);
-    }
-#if ENABLED (JERRY_BUILTIN_PROXY)
+    return ECMA_VALUE_ERROR;
   }
-#endif /* ENABLED (JERRY_BUILTIN_PROXY) */
-
-  if (super_ctor_p == NULL || !ecma_object_is_constructor (super_ctor_p))
+  else if (super_ctor_p == NULL || !ecma_object_is_constructor (super_ctor_p))
   {
     if (super_ctor_p != NULL)
     {