[Webkit-unassigned] [Bug 195534] with(aProxy) {/*stuff*/} causes wrong traps

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=195534

evan.exe at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |evan.exe at gmail.com

--- Comment #1 from evan.exe at gmail.com ---
There's some more detail here: https://github.com/tc39/proposal-realms/issues/200#issuecomment-472190359. This is a minimal repro case:

    const alwaysThrowHandler = new Proxy(Object.freeze({}), {
      get(target, prop) {
        throw new Error(`unexpected scope handler trap called: ${prop}`)
      }
    })

    const proxy = new Proxy(Object.create(this), {
      __proto__: alwaysThrowHandler,
      get: (target, prop) => target[prop],
      has: (target, prop) => true,
    })

    with (proxy) eval(`(async () => {})()`)

This runs fine with V8 but throws "unexpected scope handler trap called: getPrototypeOf" in JSC.

Putting a breakpoint on "ProxyObject::performGetPrototype" shows that it comes from "JSScope::resolve" being called with "newPromiseCapability", which I think is from the implementation of "let promiseCapability be @newPromiseCapability(@Promise)" in BytecodeGenerator.cpp.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190312/8fe456d6/attachment.html>