Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6848dafe458b079a1f25f642f419e448b28837df
https://github.com/WebKit/WebKit/commit/6848dafe458b079a1f25f642f419e448b28837df
Author: Yusuke Suzuki <[email protected]>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
A JSTests/stress/proxy-helper-should-have-target-in-parameter.js
M Source/JavaScriptCore/builtins/ProxyHelpers.js
M Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp
Log Message:
-----------
[JSC] Pass target object as a parameter to globalFuncHandleProxyGetTrapResult
to suppress JSC shell issue
https://bugs.webkit.org/show_bug.cgi?id=245567
<rdar://100315084>
Reviewed by Darin Adler and Mark Lam.
Only in JSC shell, we are directly exposing JSGlobalObject to user space, and
Proxy's helper function cannot
handle well when this is specified as a target object of ProxyObject since we
convert JSGlobalObject to undefined
when it is passed to strict JS code (and this is how we handle strict mode's
JSGlobalObject's |this|, and this is
totally valid since we do not expose it in the user code. User code only see
JSGlobalObject wrapped with JSProxy).
This patch suppresses this JSC shell case to make Proxy code robust against
that by passing the target as a parameter
instead of |this|.
* JSTests/stress/proxy-helper-should-have-target-in-parameter.js: Added.
(main.const.v11):
(main.v3):
(main):
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
* Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp:
(JSC::ProxyObjectAccessCase::emit):
Canonical link: https://commits.webkit.org/254815@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
