[webkit-reviews] review denied: [Bug 202599] InternalFunction::createSubclassStructure should use newTarget's globalObject : [Attachment 396291] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 13 09:38:25 PDT 2020
Yusuke Suzuki <ysuzuki at apple.com> has denied Alexey Shvayka
<shvaikalesh at gmail.com>'s request for review:
Bug 202599: InternalFunction::createSubclassStructure should use newTarget's
globalObject
https://bugs.webkit.org/show_bug.cgi?id=202599
Attachment 396291: Patch
https://bugs.webkit.org/attachment.cgi?id=396291&action=review
--- Comment #23 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 396291
--> https://bugs.webkit.org/attachment.cgi?id=396291
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=396291&action=review
> Source/JavaScriptCore/dfg/DFGOperations.cpp:396
> + JSValue newTarget = callFrame->newTarget();
This is not correct. CallFrame is per-DFG-CodeBlock. So if your inlined
function has different realm to the root DFG CodeBlock, this returns wrong
result. And if the root CodeBlock is not constructor call, accessing newTarget
is not OK.
I think that this modification is not necessary: globalObject is pointing
proper lexical global object to `op_create_promise` bytecode.
Can you ensure this?
More information about the webkit-reviews
mailing list