[webkit-changes] [WebKit/WebKit] 6848da: [JSC] Pass target object as a parameter to globalF...
Yusuke Suzuki
noreply at github.com
Fri Sep 23 18:34:55 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6848dafe458b079a1f25f642f419e448b28837df
https://github.com/WebKit/WebKit/commit/6848dafe458b079a1f25f642f419e448b28837df
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
A JSTests/stress/proxy-helper-should-have-target-in-parameter.js
M Source/JavaScriptCore/builtins/ProxyHelpers.js
M Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp
Log Message:
-----------
[JSC] Pass target object as a parameter to globalFuncHandleProxyGetTrapResult to suppress JSC shell issue
https://bugs.webkit.org/show_bug.cgi?id=245567
<rdar://100315084>
Reviewed by Darin Adler and Mark Lam.
Only in JSC shell, we are directly exposing JSGlobalObject to user space, and Proxy's helper function cannot
handle well when this is specified as a target object of ProxyObject since we convert JSGlobalObject to undefined
when it is passed to strict JS code (and this is how we handle strict mode's JSGlobalObject's |this|, and this is
totally valid since we do not expose it in the user code. User code only see JSGlobalObject wrapped with JSProxy).
This patch suppresses this JSC shell case to make Proxy code robust against that by passing the target as a parameter
instead of |this|.
* JSTests/stress/proxy-helper-should-have-target-in-parameter.js: Added.
(main.const.v11):
(main.v3):
(main):
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
* Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp:
(JSC::ProxyObjectAccessCase::emit):
Canonical link: https://commits.webkit.org/254815@main
More information about the webkit-changes
mailing list