[shared-struct] Make shared object constructor prototypes RO

Shared object constructors' .prototype are null and aren't used for instance creation. Set them to read-only so as to not trigger code that tries to invalidate code due to instance prototype changes. Bug: v8:12547, chromium:1381398 Change-Id: I2b712d1eb60d6d10c76a5f94b12e9f9010cabd5b Fixed: chromium:1381398 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4018916 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#84195}
2022-11-09 16:58:05 -08:00 · 2022-11-09 16:58:05 -08:00 · 072b3165e6
commit 072b3165e6
parent 34e3ab71d5
4 changed files with 11 additions and 2 deletions
--- a/src/builtins/builtins-struct.cc
+++ b/src/builtins/builtins-struct.cc
@ -105,7 +105,7 @@ BUILTIN(SharedStructTypeConstructor) {

  Handle<JSFunction> constructor =
      Factory::JSFunctionBuilder{isolate, info, isolate->native_context()}
-          .set_map(isolate->strict_function_map())
+          .set_map(isolate->strict_function_with_readonly_prototype_map())
          .Build();

  int instance_size;
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@ -530,7 +530,7 @@ V8_NOINLINE Handle<JSFunction> CreateSharedObjectConstructor(
  info->set_language_mode(LanguageMode::kStrict);
  Handle<JSFunction> constructor =
      Factory::JSFunctionBuilder{isolate, info, isolate->native_context()}
-          .set_map(isolate->strict_function_map())
+          .set_map(isolate->strict_function_with_readonly_prototype_map())
          .Build();
  constexpr int in_object_properties = 0;
  Handle<Map> instance_map =
--- a/test/mjsunit/shared-memory/shared-array-surface.js
+++ b/test/mjsunit/shared-memory/shared-array-surface.js
@ -9,6 +9,12 @@
 (function TestNoPrototype() {
  // For now the experimental shared arrays don't have a prototype.
  assertNull(Object.getPrototypeOf(new SharedArray(10)));
+
+  assertNull(SharedArray.prototype);
+
+  assertThrows(() => {
+    SharedArray.prototype = {};
+  });
 })();

 (function TestPrimitives() {
--- a/test/mjsunit/shared-memory/shared-struct-surface.js
+++ b/test/mjsunit/shared-memory/shared-struct-surface.js
@ -13,6 +13,9 @@ let S = new SharedStructType(['field']);
  // proposal explainer which says accessing the prototype throws.
  assertNull(S.prototype);
  assertNull(Object.getPrototypeOf(new S()));
+  assertThrows(() => {
+    S.prototype = {};
+  });
 })();

 (function TestPrimitives() {