Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4737a82b02bd053262cbe1d0e2a503ec7ada627e https://github.com/WebKit/WebKit/commit/4737a82b02bd053262cbe1d0e2a503ec7ada627e Author: Alexey Shvayka <ashva...@apple.com> Date: 2024-01-30 (Tue, 30 Jan 2024)
Changed paths: A JSTests/stress/direct-eval-cross-realm.js M JSTests/test262/expectations.yaml M Source/JavaScriptCore/interpreter/Interpreter.cpp M Source/JavaScriptCore/jit/JITOperations.cpp M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp M Source/JavaScriptCore/runtime/JSFunctionInlines.h Log Message: ----------- [JSC] eval() function from another realm shouldn't cause direct eval call https://bugs.webkit.org/show_bug.cgi?id=268027 <rdar://problem/121546048> Reviewed by Yusuke Suzuki. Whether eval() is direct or not is determined by SameValue() in [1] that compares the function to `%eval%`, which denotes [2] specifically the eval() function of current global object, not any built-in eval(). This change tightens the check for direct eval() and aligns JSC with V8 and SpiderMonkey. Since Interpreter::eval() has tricky way of resolving global object, accounting for DFG inlining code blocks, the callee check was moved there, ensuring all call sites handle empty JSValue. [1]: https://tc39.es/ecma262/#sec-function-calls-runtime-semantics-evaluation (step 6.a) [2]: https://tc39.es/ecma262/#sec-well-known-intrinsic-objects * JSTests/stress/direct-eval-cross-realm.js: Added. * JSTests/test262/expectations.yaml: Mark 1 test as passing. * Source/JavaScriptCore/jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp: (JSC::LLInt::commonCallDirectEval): * Source/JavaScriptCore/runtime/JSFunctionInlines.h: (JSC::isHostFunction): Deleted. Canonical link: https://commits.webkit.org/273782@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes