The Tor Browser: js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js@129ffea94266 (annotated)

js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js@129ffea94266 (annotated)

js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 function loop(f, expected) {
    // This is the loop that breaks us.
    // At record time, f's parent is a Call object with no fp.
    // At second execute time, it is a Call object with fp,
    // and all the Call object's dslots are still JSVAL_VOID.
    for (var i = 0; i < 9; i++)
        assertEq(f(), expected);
 }
 function C(bad) {
    var x = bad;
    function f() {
        return x;  // We trick TR::callProp() into emitting code that gets
                   // JSVAL_VOID (from the Call object's dslots)
                   // rather than the actual value (true or false).
    }
    if (bad)
        void (f + "a!");
    return f;
 }
 var obj = {
 };
 // Warm up and trace with C's Call object entrained but its stack frame gone.
 loop(C.call(obj, false), false);
 // Sneaky access to f via a prototype method called implicitly by operator +.
 Function.prototype.toString = function () { loop(this, true); return "hah"; };
 // Fail hard if we don't handle the implicit call out of C to F.p.toString.
 C.call(obj, true);