tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

basic-fuses.js (2876B)

      1 // |jit-test| skip-if: !(getBuildConfiguration('debug')||getBuildConfiguration('fuzzing-defined'))
      2 
      3 function intact(name) {
      4  let state = getFuseState();
      5  if (!(name in state)) {
      6    throw "No such fuse " + name;
      7  }
      8  return state[name].intact
      9 }
     10 
     11 function testRealmChange() {
     12  let g = newGlobal();
     13  g.evaluate(intact.toString())
     14 
     15  // Get a mutating function which will affect the symbol.iterator fuse.
     16  let rdel = g.evaluate("function del(o) { delete o.prototype[Symbol.iterator] };del")
     17  // Fuse is still intact.
     18  g.evaluate(`assertEq(intact("ArrayPrototypeIteratorFuse"), true)`);
     19 
     20  // setup a new global,
     21  let g2 = newGlobal();
     22  g2.evaluate(intact.toString())
     23 
     24  // register the popping function.
     25  g2.rdel = rdel;
     26 
     27  // Pop the array fuse in the new global.
     28  g2.evaluate(`rdel(Array)`);
     29 
     30  // The realm of the original array should have a fuse still intact
     31  g.evaluate(`assertEq(intact("ArrayPrototypeIteratorFuse"), true)`);
     32 
     33  // The realm of the array proto should no longer be intact. Oh dear. This is
     34  // interesting. We currently ask the cx for the array iterator proto,
     35  g2.evaluate(`assertEq(intact("ArrayPrototypeIteratorFuse"), false)`);
     36 }
     37 
     38 assertRuntimeFuseInvariants();
     39 
     40 testRealmChange();
     41 
     42 function testInNewGlobal(pre, post) {
     43  g = newGlobal();
     44  g.evaluate(intact.toString());
     45  g.evaluate(pre)
     46  g.evaluate("assertRealmFuseInvariants()");
     47  g.evaluate(post);
     48 }
     49 
     50 testInNewGlobal("delete Array.prototype[Symbol.iterator]", `assertEq(intact("ArrayPrototypeIteratorFuse"), false)`)
     51 testInNewGlobal("([])[Symbol.iterator]().__proto__['return'] = () => 10;", `assertEq(intact("ArrayIteratorPrototypeHasNoReturnProperty"), false)`)
     52 testInNewGlobal("([])[Symbol.iterator]().__proto__.__proto__['return'] = () => 10;", `assertEq(intact("IteratorPrototypeHasNoReturnProperty"), false)`)
     53 testInNewGlobal("Object.prototype['return'] = () => 10;", `assertEq(intact("ObjectPrototypeHasNoReturnProperty"), false)`)
     54 testInNewGlobal(`assertEq(intact("ArrayIteratorPrototypeHasIteratorProto"), true); Object.setPrototypeOf(( ([])[Symbol.iterator]().__proto__ ), {a:10})`, `assertEq(intact("ArrayIteratorPrototypeHasIteratorProto"), false);`);
     55 testInNewGlobal(`assertEq(intact("IteratorPrototypeHasObjectProto"), true); Object.setPrototypeOf( ( ([])[Symbol.iterator]().__proto__.__proto__ ), {a:10})`, `assertEq(intact("IteratorPrototypeHasObjectProto"), false);`);
     56 
     57 testInNewGlobal(`assertEq(intact("HasSeenObjectEmulateUndefinedFuse"), true); createIsHTMLDDA()`, `assertEq(intact("HasSeenObjectEmulateUndefinedFuse"), false);`);
     58 testInNewGlobal(`assertEq(intact("HasSeenArrayExceedsInt32LengthFuse"), true); const x = []; x[2147483649] = 1`, `assertEq(intact("HasSeenArrayExceedsInt32LengthFuse"), false);`);
     59 
     60 // Runtime wide fuse.
     61 assertEq(intact("HasSeenObjectEmulateUndefinedFuse"), false);
     62 assertEq(intact("HasSeenArrayExceedsInt32LengthFuse"), false);