Title: [264679] trunk/Source/_javascript_Core
- Revision
- 264679
- Author
- mark....@apple.com
- Date
- 2020-07-21 14:10:29 -0700 (Tue, 21 Jul 2020)
Log Message
llint_slow_path_get_private_name() should not be using PropertySlot::InternalMethodType::VMInquiry.
https://bugs.webkit.org/show_bug.cgi?id=214603
Reviewed by Yusuke Suzuki.
VMInquiry means (1) the get operation should not call back into JS, (2) it should
not throw any exceptions (except for OutOfMemoryError or StackOverflowError which
can be thrown at any time), or have any side effects that is observable from JS
code. In this case, llint_slow_path_get_private_name() is just implementating
PrivateFieldGet (https://tc39.es/proposal-class-fields/#sec-privatefieldget) and
should actually be using PropertySlot::InternalMethodType::GetOwnProperty
(according to https://tc39.es/proposal-class-fields/#sec-privatefieldfind).
This patch makes the above change, and also adds an assert in JSObject::getPrivateField
to ensure that no one calls it for a VMInquiry since it is not supported.
Also added a PropertySlot::isVMInquiry() convenience query method.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/JSObjectInlines.h:
(JSC::JSObject::getPrivateField):
* runtime/PropertySlot.h:
(JSC::PropertySlot::isVMInquiry const):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (264678 => 264679)
--- trunk/Source/_javascript_Core/ChangeLog 2020-07-21 21:09:54 UTC (rev 264678)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-07-21 21:10:29 UTC (rev 264679)
@@ -1,3 +1,30 @@
+2020-07-21 Mark Lam <mark....@apple.com>
+
+ llint_slow_path_get_private_name() should not be using PropertySlot::InternalMethodType::VMInquiry.
+ https://bugs.webkit.org/show_bug.cgi?id=214603
+
+ Reviewed by Yusuke Suzuki.
+
+ VMInquiry means (1) the get operation should not call back into JS, (2) it should
+ not throw any exceptions (except for OutOfMemoryError or StackOverflowError which
+ can be thrown at any time), or have any side effects that is observable from JS
+ code. In this case, llint_slow_path_get_private_name() is just implementating
+ PrivateFieldGet (https://tc39.es/proposal-class-fields/#sec-privatefieldget) and
+ should actually be using PropertySlot::InternalMethodType::GetOwnProperty
+ (according to https://tc39.es/proposal-class-fields/#sec-privatefieldfind).
+
+ This patch makes the above change, and also adds an assert in JSObject::getPrivateField
+ to ensure that no one calls it for a VMInquiry since it is not supported.
+
+ Also added a PropertySlot::isVMInquiry() convenience query method.
+
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::getPrivateField):
+ * runtime/PropertySlot.h:
+ (JSC::PropertySlot::isVMInquiry const):
+
2020-07-21 Keith Miller <keith_mil...@apple.com>
Fix FinalizationRegistry GC finalizer interation
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (264678 => 264679)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-07-21 21:09:54 UTC (rev 264678)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-07-21 21:10:29 UTC (rev 264679)
@@ -1093,7 +1093,7 @@
LLINT_CHECK_EXCEPTION();
ASSERT(property.isPrivateName());
- PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::InternalMethodType::GetOwnProperty);
asObject(baseValue)->getPrivateField(globalObject, property, slot);
LLINT_CHECK_EXCEPTION();
Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (264678 => 264679)
--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2020-07-21 21:09:54 UTC (rev 264678)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2020-07-21 21:10:29 UTC (rev 264679)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2020 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel (e...@webkit.org)
*
* This library is free software; you can redistribute it and/or
@@ -603,6 +603,7 @@
{
VM& vm = getVM(globalObject);
auto scope = DECLARE_THROW_SCOPE(vm);
+ ASSERT(!slot.isVMInquiry());
if (!JSObject::getPrivateFieldSlot(this, globalObject, propertyName, slot)) {
throwException(globalObject, scope, createInvalidPrivateNameError(globalObject));
RELEASE_AND_RETURN(scope, false);
Modified: trunk/Source/_javascript_Core/runtime/PropertySlot.h (264678 => 264679)
--- trunk/Source/_javascript_Core/runtime/PropertySlot.h 2020-07-21 21:09:54 UTC (rev 264678)
+++ trunk/Source/_javascript_Core/runtime/PropertySlot.h 2020-07-21 21:10:29 UTC (rev 264679)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2020 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -139,6 +139,7 @@
bool isTaintedByOpaqueObject() const { return m_isTaintedByOpaqueObject; }
InternalMethodType internalMethodType() const { return m_internalMethodType; }
+ bool isVMInquiry() const { return m_internalMethodType == InternalMethodType::VMInquiry; }
void disableCaching()
{
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
