[webkit-changes] [292883] trunk

[shvaikalesh]

Title: [292883] trunk

Revision

292883

Author

shvaikal...@gmail.com

Date

2022-04-14 12:30:30 -0700 (Thu, 14 Apr 2022)

Log Message

InternalFunction::createSubclassStructure() should use base object's global object
https://bugs.webkit.org/show_bug.cgi?id=239346

Reviewed by Darin Adler.

JSTests:

* stress/internal-function-subclass-structure-realm.js:

Source/_javascript_Core:

Chrome and Firefox don't agree on interoperable behavior in case of cross-realm
NewTarget's "prototype", so this patch aligns WebKit with Chrome to fix a web-compat issue.

* runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/JSTests/stress/internal-function-subclass-structure-realm.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/InternalFunction.cpp

Diff

Modified: trunk/JSTests/ChangeLog (292882 => 292883)

--- trunk/JSTests/ChangeLog	2022-04-14 19:13:11 UTC (rev 292882)
+++ trunk/JSTests/ChangeLog	2022-04-14 19:30:30 UTC (rev 292883)
@@ -1,3 +1,12 @@
+2022-04-14  Alexey Shvayka  <ashva...@apple.com>
+
+        InternalFunction::createSubclassStructure() should use base object's global object
+        https://bugs.webkit.org/show_bug.cgi?id=239346
+
+        Reviewed by Darin Adler.
+
+        * stress/internal-function-subclass-structure-realm.js:
+
 2022-04-12  Aditi Singh  <asi...@igalia.com>
 
         Implement Change Array by copy proposal

Modified: trunk/JSTests/stress/internal-function-subclass-structure-realm.js (292882 => 292883)

--- trunk/JSTests/stress/internal-function-subclass-structure-realm.js	2022-04-14 19:13:11 UTC (rev 292882)
+++ trunk/JSTests/stress/internal-function-subclass-structure-realm.js	2022-04-14 19:30:30 UTC (rev 292883)
@@ -9,11 +9,10 @@
             for (const newTarget of [
                 r2[key].bind(),
                 new r2.Function,
-                new r2.Proxy(new r2.Function, {}),
             ]) {
                 Object.defineProperty(newTarget, "prototype", { value: new r3.Object });
                 const instance = Reflect.construct(r1[key], [], newTarget);
-                if ($vm.globalObjectForObject(instance) !== r3)
+                if ($vm.globalObjectForObject(instance) !== r2)
                     throw new Error(`Structure of ${key} instance has incorrect global object!`);
             }
         }

Modified: trunk/Source/_javascript_Core/ChangeLog (292882 => 292883)

--- trunk/Source/_javascript_Core/ChangeLog	2022-04-14 19:13:11 UTC (rev 292882)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-04-14 19:30:30 UTC (rev 292883)
@@ -1,3 +1,16 @@
+2022-04-14  Alexey Shvayka  <ashva...@apple.com>
+
+        InternalFunction::createSubclassStructure() should use base object's global object
+        https://bugs.webkit.org/show_bug.cgi?id=239346
+
+        Reviewed by Darin Adler.
+
+        Chrome and Firefox don't agree on interoperable behavior in case of cross-realm
+        NewTarget's "prototype", so this patch aligns WebKit with Chrome to fix a web-compat issue.
+
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructure):
+
 2022-04-14  Chris Dumez  <cdu...@apple.com>
 
         Drop inefficient String::append() overloads

Modified: trunk/Source/_javascript_Core/runtime/InternalFunction.cpp (292882 => 292883)

--- trunk/Source/_javascript_Core/runtime/InternalFunction.cpp	2022-04-14 19:13:11 UTC (rev 292882)
+++ trunk/Source/_javascript_Core/runtime/InternalFunction.cpp	2022-04-14 19:30:30 UTC (rev 292883)
@@ -137,6 +137,7 @@
 {
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
+    JSGlobalObject* baseGlobalObject = baseClass->globalObject();
 
     ASSERT(baseClass->hasMonoProto());
 
@@ -146,7 +147,7 @@
     if (LIKELY(targetFunction)) {
         FunctionRareData* rareData = targetFunction->ensureRareData(vm);
         Structure* structure = rareData->internalFunctionAllocationStructure();
-        if (LIKELY(structure && structure->classInfo() == baseClass->classInfo() && structure->globalObject() == baseClass->globalObject()))
+        if (LIKELY(structure && structure->classInfo() == baseClass->classInfo() && structure->globalObject() == baseGlobalObject))
             return structure;
 
         // Note, Reflect.construct might cause the profile to churn but we don't care.
@@ -153,7 +154,7 @@
         JSValue prototypeValue = targetFunction->get(globalObject, vm.propertyNames->prototype);
         RETURN_IF_EXCEPTION(scope, nullptr);
         if (JSObject* prototype = jsDynamicCast<JSObject*>(vm, prototypeValue))
-            return rareData->createInternalFunctionAllocationStructureFromBase(vm, prototype->globalObject(vm), prototype, baseClass);
+            return rareData->createInternalFunctionAllocationStructureFromBase(vm, baseGlobalObject, prototype, baseClass);
     } else {
         JSValue prototypeValue = newTarget->get(globalObject, vm.propertyNames->prototype);
         RETURN_IF_EXCEPTION(scope, nullptr);
@@ -160,8 +161,7 @@
         if (JSObject* prototype = jsDynamicCast<JSObject*>(vm, prototypeValue)) {
             // This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
             // Thus, we don't care about the cost of looking up the structure from our hash table every time.
-            JSGlobalObject* globalObject = prototype->globalObject(vm);
-            return globalObject->structureCache().emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseClass);
+            return baseGlobalObject->structureCache().emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseClass);
         }
     }
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes