Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 22b1c6974350230ff84219d2d05da6b88ebcf67a
https://github.com/WebKit/WebKit/commit/22b1c6974350230ff84219d2d05da6b88ebcf67a
Author: Keith Miller <[email protected]>
Date: 2024-08-19 (Mon, 19 Aug 2024)
Changed paths:
A JSTests/stress/runString-returns-globalThis-not-globalObject.js
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/tools/JSDollarVM.cpp
Log Message:
-----------
ASSERTION FAILED: isCell()
WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(598) : JSC::JSCell*
JSC::JSValue::asCell() const
https://bugs.webkit.org/show_bug.cgi?id=276934
rdar://132305364
Reviewed by Yusuke Suzuki.
Some of our debugging functions currently return the globalObject directly.
This is mostly ok because we expect to not fall over when
the globalObject is directly exposed (rather than the globalThis proxy). That
said, it seems when extending the GlobalObject it's
possible to crash because we put_by_id_direct on the result of `ToThis`, which
when is the GlobalObject (not the proxy) becomes jsUndefined().
To avoid spurious fuzzer crashes in the future this change has these functions
return the globalThis. It seems none of the testing we did
relies on the actual globalObject anyway and the globalThis is fine.
* JSTests/stress/runString-returns-globalThis-not-globalObject.js: Added.
(try.F):
(try.C):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
Canonical link: https://commits.webkit.org/282453@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
