Title: [286478] trunk
- Revision
- 286478
- Author
- ysuz...@apple.com
- Date
- 2021-12-02 20:24:41 -0800 (Thu, 02 Dec 2021)
Log Message
[JSC] shell's $.globalObjectFor is not safe for non object cells
https://bugs.webkit.org/show_bug.cgi?id=233794
Reviewed by Saam Barati.
JSTests:
* stress/dollar-global-object.js: Added.
Source/_javascript_Core:
Only Object cells can have Structures having JSGlobalObject.
* jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (286477 => 286478)
--- trunk/JSTests/ChangeLog 2021-12-03 04:17:30 UTC (rev 286477)
+++ trunk/JSTests/ChangeLog 2021-12-03 04:24:41 UTC (rev 286478)
@@ -1,3 +1,12 @@
+2021-12-02 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] shell's $.globalObjectFor is not safe for non object cells
+ https://bugs.webkit.org/show_bug.cgi?id=233794
+
+ Reviewed by Saam Barati.
+
+ * stress/dollar-global-object.js: Added.
+
2021-12-02 Saam Barati <sbar...@apple.com>
Fix OOM crash in JSValue::toWTFStringForConsole
Added: trunk/JSTests/stress/dollar-global-object.js (0 => 286478)
--- trunk/JSTests/stress/dollar-global-object.js (rev 0)
+++ trunk/JSTests/stress/dollar-global-object.js 2021-12-03 04:24:41 UTC (rev 286478)
@@ -0,0 +1 @@
+$.globalObjectFor("Hey") + "Hey";
Modified: trunk/Source/_javascript_Core/ChangeLog (286477 => 286478)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-03 04:17:30 UTC (rev 286477)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 04:24:41 UTC (rev 286478)
@@ -1,3 +1,15 @@
+2021-12-02 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] shell's $.globalObjectFor is not safe for non object cells
+ https://bugs.webkit.org/show_bug.cgi?id=233794
+
+ Reviewed by Saam Barati.
+
+ Only Object cells can have Structures having JSGlobalObject.
+
+ * jsc.cpp:
+ (JSC_DEFINE_HOST_FUNCTION):
+
2021-12-02 Saam Barati <sbar...@apple.com>
Lower structureHeapAddressSize on more memory limited ARM64 devices
Modified: trunk/Source/_javascript_Core/jsc.cpp (286477 => 286478)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-12-03 04:17:30 UTC (rev 286477)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-12-03 04:24:41 UTC (rev 286478)
@@ -2077,8 +2077,8 @@
if (callFrame->argumentCount() < 1)
return JSValue::encode(throwException(globalObject, scope, createError(globalObject, "Not enough arguments"_s)));
JSValue arg = callFrame->argument(0);
- if (arg.isCell())
- return JSValue::encode(arg.asCell()->structure(vm)->globalObject()->globalThis());
+ if (arg.isObject())
+ return JSValue::encode(asObject(arg)->globalObject(vm)->globalThis());
return JSValue::encode(jsUndefined());
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
