[webkit-changes] [WebKit/WebKit] 1c9bd7: [JSC] returnEarlyFromInfiniteLoopsForFuzzing shoul...

Fri Sep 16 18:08:58 PDT 2022

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1c9bd752d9596b1d7f1cb0c0a5d7db26b5ad4e02
      https://github.com/WebKit/WebKit/commit/1c9bd752d9596b1d7f1cb0c0a5d7db26b5ad4e02
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-09-16 (Fri, 16 Sep 2022)

  Changed paths:
    A JSTests/stress/proxy-helper-this.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

  Log Message:
  -----------
  [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return globalThis
https://bugs.webkit.org/show_bug.cgi?id=245293
<rdar://99569065>

Reviewed by Justin Michaud.

Raw JSGlobalObject is not expected to be exposed directly to the user JS code usually.
Instead, we expect globalThis is exposed. But returnEarlyFromInfiniteLoopsForFuzzing fuzzing
feature accidentally exposes JSGlobalObject and causing trouble in Proxy implementation
(when JSGlobalObject is passed as |this| to JS strict code, it becomes undefined instead of an object)
This patch fixes returnEarlyFromInfiniteLoopsForFuzzing so that it returns globalThis instead.

* JSTests/stress/proxy-helper-this.js: Added.
(foo):
(let.handler.string_appeared_here):
(async let):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileLoopHint):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_loop_hint):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:

Canonical link: https://commits.webkit.org/254578@main