- Revision
- 251354
- Author
- bshaf...@apple.com
- Date
- 2019-10-20 17:44:26 -0700 (Sun, 20 Oct 2019)
Log Message
Cherry-pick r249538. rdar://problem/56426429
LazyClassStructure::setConstructor should not store the constructor to the global object
https://bugs.webkit.org/show_bug.cgi?id=201484
<rdar://problem/50400451>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
Source/_javascript_Core:
LazyClassStructure::setConstructor sets the constructor as a property of the global object.
This became a problem when it started being used for WebAssembly constructors, such as Module
and Instance, since they are properties of the WebAssembly object, not the global object. That
resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
was first accessed. e.g.
globalThis.Module = x;
WebAssembly.Module;
globalThis.Module === WebAssembly.Module;
* runtime/LazyClassStructure.cpp:
(JSC::LazyClassStructure::Initializer::setConstructor):
* runtime/LazyClassStructure.h:
* runtime/Lookup.h:
(JSC::reifyStaticProperty):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-608-branch/JSTests/ChangeLog (251353 => 251354)
--- branches/safari-608-branch/JSTests/ChangeLog 2019-10-20 23:40:21 UTC (rev 251353)
+++ branches/safari-608-branch/JSTests/ChangeLog 2019-10-21 00:44:26 UTC (rev 251354)
@@ -1,3 +1,47 @@
+2019-10-20 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r249538. rdar://problem/56426429
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
+ Source/_javascript_Core:
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-05 Tadeu Zagallo <tzaga...@apple.com>
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
2019-10-15 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r250585. rdar://problem/56280995
Added: branches/safari-608-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js (0 => 251354)
--- branches/safari-608-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js (rev 0)
+++ branches/safari-608-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js 2019-10-21 00:44:26 UTC (rev 251354)
@@ -0,0 +1,4 @@
+var originalModule = this.Module = {};
+WebAssembly.Module;
+if (Module !== originalModule)
+ throw new Error('Global property `Module` was overwritten!');
Modified: branches/safari-608-branch/Source/_javascript_Core/ChangeLog (251353 => 251354)
--- branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-10-20 23:40:21 UTC (rev 251353)
+++ branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-10-21 00:44:26 UTC (rev 251354)
@@ -1,3 +1,61 @@
+2019-10-20 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r249538. rdar://problem/56426429
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
+ Source/_javascript_Core:
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-05 Tadeu Zagallo <tzaga...@apple.com>
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
2019-10-15 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r250629. rdar://problem/56280996
Modified: branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp (251353 => 251354)
--- branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp 2019-10-20 23:40:21 UTC (rev 251353)
+++ branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp 2019-10-21 00:44:26 UTC (rev 251354)
@@ -60,7 +60,7 @@
prototype = structure->storedPrototypeObject();
}
-void LazyClassStructure::Initializer::setConstructor(PropertyName propertyName, JSObject* constructor)
+void LazyClassStructure::Initializer::setConstructor(JSObject* constructor)
{
RELEASE_ASSERT(structure);
RELEASE_ASSERT(prototype);
@@ -69,24 +69,9 @@
this->constructor = constructor;
prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
- if (!propertyName.isNull())
- global->putDirect(vm, propertyName, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
classStructure.m_constructor.set(vm, global, constructor);
}
-void LazyClassStructure::Initializer::setConstructor(JSObject* constructor)
-{
- String name;
- if (InternalFunction* internalFunction = jsDynamicCast<InternalFunction*>(vm, constructor))
- name = internalFunction->name();
- else if (JSFunction* function = jsDynamicCast<JSFunction*>(vm, constructor))
- name = function->name(vm);
- else
- RELEASE_ASSERT_NOT_REACHED();
-
- setConstructor(Identifier::fromString(&vm, name), constructor);
-}
-
void LazyClassStructure::visit(SlotVisitor& visitor)
{
m_structure.visit(visitor);
Modified: branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.h (251353 => 251354)
--- branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.h 2019-10-20 23:40:21 UTC (rev 251353)
+++ branches/safari-608-branch/Source/_javascript_Core/runtime/LazyClassStructure.h 2019-10-21 00:44:26 UTC (rev 251354)
@@ -49,12 +49,6 @@
// Call this last. It's expected that the constructor is initialized to point to the
// prototype already. This will automatically set prototype.constructor=constructor.
- // This will also stuff the constructor into the global object at the given property.
- // Note that the variant that does not take a property name attempts to deduce it by
- // casting constructor to either JSFunction or InternalFunction. Also, you can pass
- // nullptr for the property name, in which case we don't assign the property to the
- // global object.
- void setConstructor(PropertyName, JSObject* constructor);
void setConstructor(JSObject* constructor);
VM& vm;
Modified: branches/safari-608-branch/Source/_javascript_Core/runtime/Lookup.h (251353 => 251354)
--- branches/safari-608-branch/Source/_javascript_Core/runtime/Lookup.h 2019-10-20 23:40:21 UTC (rev 251353)
+++ branches/safari-608-branch/Source/_javascript_Core/runtime/Lookup.h 2019-10-21 00:44:26 UTC (rev 251354)
@@ -361,9 +361,10 @@
}
if (value.attributes() & PropertyAttribute::ClassStructure) {
- LazyClassStructure* structure = bitwise_cast<LazyClassStructure*>(
+ LazyClassStructure* lazyStructure = bitwise_cast<LazyClassStructure*>(
bitwise_cast<char*>(&thisObj) + value.lazyClassStructureOffset());
- structure->get(jsCast<JSGlobalObject*>(&thisObj));
+ JSObject* constructor = lazyStructure->constructor(jsCast<JSGlobalObject*>(&thisObj));
+ thisObj.putDirect(vm, propertyName, constructor, attributesForStructure(value.attributes()));
return;
}
