[webkit-changes] [WebKit/WebKit] 22b1c6: ASSERTION FAILED: isCell() WebKit/Source/JavaScrip...
Keith Miller
noreply at github.com
Mon Aug 19 12:59:47 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 22b1c6974350230ff84219d2d05da6b88ebcf67a
https://github.com/WebKit/WebKit/commit/22b1c6974350230ff84219d2d05da6b88ebcf67a
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-08-19 (Mon, 19 Aug 2024)
Changed paths:
A JSTests/stress/runString-returns-globalThis-not-globalObject.js
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/tools/JSDollarVM.cpp
Log Message:
-----------
ASSERTION FAILED: isCell() WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(598) : JSC::JSCell* JSC::JSValue::asCell() const
https://bugs.webkit.org/show_bug.cgi?id=276934
rdar://132305364
Reviewed by Yusuke Suzuki.
Some of our debugging functions currently return the globalObject directly. This is mostly ok because we expect to not fall over when
the globalObject is directly exposed (rather than the globalThis proxy). That said, it seems when extending the GlobalObject it's
possible to crash because we put_by_id_direct on the result of `ToThis`, which when is the GlobalObject (not the proxy) becomes jsUndefined().
To avoid spurious fuzzer crashes in the future this change has these functions return the globalThis. It seems none of the testing we did
relies on the actual globalObject anyway and the globalThis is fine.
* JSTests/stress/runString-returns-globalThis-not-globalObject.js: Added.
(try.F):
(try.C):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
Canonical link: https://commits.webkit.org/282453@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list