Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c2ccda5823d4f9aee4736a0d7fe326040704deb6
https://github.com/WebKit/WebKit/commit/c2ccda5823d4f9aee4736a0d7fe326040704deb6
Author: Sosuke Suzuki <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A JSTests/stress/dfg-array-concat-cross-realm-species.js
A JSTests/stress/dfg-array-slice-cross-realm-species.js
A JSTests/stress/dfg-array-splice-cross-realm-species.js
A JSTests/stress/dfg-map-entries-keys-values-cross-realm-iterator-object.js
A JSTests/stress/dfg-map-set-iterator-next-cross-realm-result-object.js
A JSTests/stress/dfg-object-get-own-property-names-cross-realm.js
A JSTests/stress/dfg-object-get-own-property-symbols-cross-realm.js
A JSTests/stress/dfg-object-keys-cross-realm.js
A
JSTests/stress/dfg-regexp-string-iterator-next-cross-realm-result-object.js
A JSTests/stress/dfg-set-entries-values-cross-realm-iterator-object.js
A JSTests/stress/dfg-string-iterator-cross-realm-iterator-object.js
A JSTests/stress/dfg-string-iterator-next-cross-realm-result-object.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Log Message:
-----------
[JSC] Some DFG intrinsics should bail out when the callee comes from another
realm
https://bugs.webkit.org/show_bug.cgi?id=318195
Reviewed by Yusuke Suzuki.
Some DFG intrinsic inline paths allocate objects (iterator result objects,
iterators, result arrays) with structures from the parsing realm's global
object. But the spec requires creating them in the callee function's realm,
and that is what the C++ implementations do. Since native functions from
different realms share NativeExecutables, installing another realm's method
on the caller realm's prototype reaches these inline paths, and none of the
watchpoints they rely on cover this. The result prototype then observably
differs between DFG / FTL and lower tiers:
const other = createGlobalObject();
Array.prototype.slice = other.Array.prototype.slice;
// After DFG tier-up, Object.getPrototypeOf([1, 2, 3].slice(0))
// changes from other.Array.prototype to Array.prototype.
Extract the existing ArrayEntries guard into calleeMayBeCrossRealm and
apply it to all intrinsics that allocate realm-owned objects: Map / Set /
String / RegExpString iterator creation and next, ArraySlice / ArraySplice /
ArrayConcat, and ObjectKeys / ObjectGetOwnPropertyNames /
ObjectGetOwnPropertySymbols.
Tests: JSTests/stress/dfg-array-concat-cross-realm-species.js
JSTests/stress/dfg-array-slice-cross-realm-species.js
JSTests/stress/dfg-array-splice-cross-realm-species.js
JSTests/stress/dfg-map-entries-keys-values-cross-realm-iterator-object.js
JSTests/stress/dfg-map-set-iterator-next-cross-realm-result-object.js
JSTests/stress/dfg-object-get-own-property-names-cross-realm.js
JSTests/stress/dfg-object-get-own-property-symbols-cross-realm.js
JSTests/stress/dfg-object-keys-cross-realm.js
JSTests/stress/dfg-regexp-string-iterator-next-cross-realm-result-object.js
JSTests/stress/dfg-set-entries-values-cross-realm-iterator-object.js
JSTests/stress/dfg-string-iterator-cross-realm-iterator-object.js
JSTests/stress/dfg-string-iterator-next-cross-realm-result-object.js
* JSTests/stress/dfg-array-concat-cross-realm-species.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-array-slice-cross-realm-species.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-array-splice-cross-realm-species.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-map-entries-keys-values-cross-realm-iterator-object.js:
Added.
(shouldBe):
(testEntries):
(testKeys):
(testValues):
* JSTests/stress/dfg-map-set-iterator-next-cross-realm-result-object.js: Added.
(shouldBe):
(testMap):
* JSTests/stress/dfg-object-get-own-property-names-cross-realm.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-object-get-own-property-symbols-cross-realm.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-object-keys-cross-realm.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-regexp-string-iterator-next-cross-realm-result-object.js:
Added.
(shouldBe):
(test):
* JSTests/stress/dfg-set-entries-values-cross-realm-iterator-object.js: Added.
(shouldBe):
* JSTests/stress/dfg-string-iterator-cross-realm-iterator-object.js: Added.
(shouldBe):
(test):
* JSTests/stress/dfg-string-iterator-next-cross-realm-result-object.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::calleeMayBeCrossRealm):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
Canonical link: https://commits.webkit.org/316359@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications