- Revision
- 250704
- Author
- alanc...@apple.com
- Date
- 2019-10-03 22:50:56 -0700 (Thu, 03 Oct 2019)
Log Message
Cherry-pick r249538. rdar://problem/55911485
LazyClassStructure::setConstructor should not store the constructor to the global object
https://bugs.webkit.org/show_bug.cgi?id=201484
<rdar://problem/50400451>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
Source/_javascript_Core:
LazyClassStructure::setConstructor sets the constructor as a property of the global object.
This became a problem when it started being used for WebAssembly constructors, such as Module
and Instance, since they are properties of the WebAssembly object, not the global object. That
resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
was first accessed. e.g.
globalThis.Module = x;
WebAssembly.Module;
globalThis.Module === WebAssembly.Module;
* runtime/LazyClassStructure.cpp:
(JSC::LazyClassStructure::Initializer::setConstructor):
* runtime/LazyClassStructure.h:
* runtime/Lookup.h:
(JSC::reifyStaticProperty):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-608.3-branch/JSTests/ChangeLog (250703 => 250704)
--- branches/safari-608.3-branch/JSTests/ChangeLog 2019-10-04 05:36:47 UTC (rev 250703)
+++ branches/safari-608.3-branch/JSTests/ChangeLog 2019-10-04 05:50:56 UTC (rev 250704)
@@ -1,3 +1,47 @@
+2019-10-03 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r249538. rdar://problem/55911485
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
+ Source/_javascript_Core:
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-05 Tadeu Zagallo <tzaga...@apple.com>
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
2019-09-30 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r250058. rdar://problem/55826329
Added: branches/safari-608.3-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js (0 => 250704)
--- branches/safari-608.3-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js (rev 0)
+++ branches/safari-608.3-branch/JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js 2019-10-04 05:50:56 UTC (rev 250704)
@@ -0,0 +1,4 @@
+var originalModule = this.Module = {};
+WebAssembly.Module;
+if (Module !== originalModule)
+ throw new Error('Global property `Module` was overwritten!');
Modified: branches/safari-608.3-branch/Source/_javascript_Core/ChangeLog (250703 => 250704)
--- branches/safari-608.3-branch/Source/_javascript_Core/ChangeLog 2019-10-04 05:36:47 UTC (rev 250703)
+++ branches/safari-608.3-branch/Source/_javascript_Core/ChangeLog 2019-10-04 05:50:56 UTC (rev 250704)
@@ -1,3 +1,61 @@
+2019-10-03 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r249538. rdar://problem/55911485
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+
+ Source/_javascript_Core:
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-05 Tadeu Zagallo <tzaga...@apple.com>
+
+ LazyClassStructure::setConstructor should not store the constructor to the global object
+ https://bugs.webkit.org/show_bug.cgi?id=201484
+ <rdar://problem/50400451>
+
+ Reviewed by Yusuke Suzuki.
+
+ LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+ This became a problem when it started being used for WebAssembly constructors, such as Module
+ and Instance, since they are properties of the WebAssembly object, not the global object. That
+ resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+ was first accessed. e.g.
+
+ globalThis.Module = x;
+ WebAssembly.Module;
+ globalThis.Module === WebAssembly.Module;
+
+ * runtime/LazyClassStructure.cpp:
+ (JSC::LazyClassStructure::Initializer::setConstructor):
+ * runtime/LazyClassStructure.h:
+ * runtime/Lookup.h:
+ (JSC::reifyStaticProperty):
+
2019-09-30 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r250058. rdar://problem/55826329
Modified: branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp (250703 => 250704)
--- branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp 2019-10-04 05:36:47 UTC (rev 250703)
+++ branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.cpp 2019-10-04 05:50:56 UTC (rev 250704)
@@ -60,7 +60,7 @@
prototype = structure->storedPrototypeObject();
}
-void LazyClassStructure::Initializer::setConstructor(PropertyName propertyName, JSObject* constructor)
+void LazyClassStructure::Initializer::setConstructor(JSObject* constructor)
{
RELEASE_ASSERT(structure);
RELEASE_ASSERT(prototype);
@@ -69,24 +69,9 @@
this->constructor = constructor;
prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
- if (!propertyName.isNull())
- global->putDirect(vm, propertyName, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
classStructure.m_constructor.set(vm, global, constructor);
}
-void LazyClassStructure::Initializer::setConstructor(JSObject* constructor)
-{
- String name;
- if (InternalFunction* internalFunction = jsDynamicCast<InternalFunction*>(vm, constructor))
- name = internalFunction->name();
- else if (JSFunction* function = jsDynamicCast<JSFunction*>(vm, constructor))
- name = function->name(vm);
- else
- RELEASE_ASSERT_NOT_REACHED();
-
- setConstructor(Identifier::fromString(&vm, name), constructor);
-}
-
void LazyClassStructure::visit(SlotVisitor& visitor)
{
m_structure.visit(visitor);
Modified: branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.h (250703 => 250704)
--- branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.h 2019-10-04 05:36:47 UTC (rev 250703)
+++ branches/safari-608.3-branch/Source/_javascript_Core/runtime/LazyClassStructure.h 2019-10-04 05:50:56 UTC (rev 250704)
@@ -49,12 +49,6 @@
// Call this last. It's expected that the constructor is initialized to point to the
// prototype already. This will automatically set prototype.constructor=constructor.
- // This will also stuff the constructor into the global object at the given property.
- // Note that the variant that does not take a property name attempts to deduce it by
- // casting constructor to either JSFunction or InternalFunction. Also, you can pass
- // nullptr for the property name, in which case we don't assign the property to the
- // global object.
- void setConstructor(PropertyName, JSObject* constructor);
void setConstructor(JSObject* constructor);
VM& vm;
Modified: branches/safari-608.3-branch/Source/_javascript_Core/runtime/Lookup.h (250703 => 250704)
--- branches/safari-608.3-branch/Source/_javascript_Core/runtime/Lookup.h 2019-10-04 05:36:47 UTC (rev 250703)
+++ branches/safari-608.3-branch/Source/_javascript_Core/runtime/Lookup.h 2019-10-04 05:50:56 UTC (rev 250704)
@@ -361,9 +361,10 @@
}
if (value.attributes() & PropertyAttribute::ClassStructure) {
- LazyClassStructure* structure = bitwise_cast<LazyClassStructure*>(
+ LazyClassStructure* lazyStructure = bitwise_cast<LazyClassStructure*>(
bitwise_cast<char*>(&thisObj) + value.lazyClassStructureOffset());
- structure->get(jsCast<JSGlobalObject*>(&thisObj));
+ JSObject* constructor = lazyStructure->constructor(jsCast<JSGlobalObject*>(&thisObj));
+ thisObj.putDirect(vm, propertyName, constructor, attributesForStructure(value.attributes()));
return;
}
