Diff
Modified: trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h (264735 => 264736)
--- trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -298,8 +298,10 @@
if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) {
if (StaticFunctionEntry* entry = staticFunctions->get(name)) {
- PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
- if (Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot))
+ PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
+ bool found = Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot);
+ getSlot.disallowVMEntry.reset();
+ if (found)
return Parent::put(thisObject, globalObject, propertyName, value, slot);
if (entry->attributes & kJSPropertyAttributeReadOnly)
return false;
@@ -668,8 +670,10 @@
JSCallbackObject* thisObj = asCallbackObject(thisValue);
// Check for cached or override property.
- PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry);
- if (Parent::getOwnPropertySlot(thisObj, globalObject, propertyName, slot2))
+ PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry, &vm);
+ bool found = Parent::getOwnPropertySlot(thisObj, globalObject, propertyName, slot2);
+ slot2.disallowVMEntry.reset();
+ if (found)
return JSValue::encode(slot2.getValue(globalObject, propertyName));
if (StringImpl* name = propertyName.uid()) {
Modified: trunk/Source/_javascript_Core/ChangeLog (264735 => 264736)
--- trunk/Source/_javascript_Core/ChangeLog 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,3 +1,92 @@
+2020-07-22 Mark Lam <mark....@apple.com>
+
+ Disallow VM entry when doing a VMInquiry.
+ https://bugs.webkit.org/show_bug.cgi?id=214624
+ <rdar://problem/65915314>
+
+ Reviewed by Saam Barati.
+
+ 1. In PropertySlot's constructor, automatically install a DisallowVMEntry scope
+ if the passed in internal method type is VMInquiry. This ensures that we won't
+ be able to enter the VM to call JS code while doing the inquiry. As a result,
+ the PropertySlot constructor will now take an optional VM pointer, which is
+ must be passed in in when the internal method type is VMInquiry.
+
+ Note that the handling of attempts to enter the VM depends on
+ Options::crashOnDisallowedVMEntry().
+
+ On Debug build (due to ASSERT_ENABLED), Options::crashOnDisallowedVMEntry()
+ defaults to true and the VM will crash on disallowed entry.
+ On Release build, Options::crashOnDisallowedVMEntry() defaults to false and
+ disallow entry attempts into the VM will be treated like calling an empty
+ function that returns undefined. This is not new behavior in this patch, but
+ I just want to have a reminder here of how DisallowVMEntry will be enforcing
+ no entry into the VM while doing a VMInquiry.
+
+ 2. After VMInquiry gets, sometimes the client code wants to do other work that
+ do entails entering the VM. In such cases, we need to reset the PropertySlot's
+ disallowVMEntry scope. Fixed up a few places in client code to do this reset.
+
+ 3. Make the DisableVMEntry scope copyable. At least one place wants to copy
+ PropertySlot, and as a result, will need to copy its embedded DisableVMEntry
+ scope as well if installed.
+
+ For DisableVMEntry, we'll handle copying semantics as follows: copying a
+ DisableVMEntry will ref the VM::disallowVMEntryCount. The count will be
+ decremented when both instances are destructed. As a result, VM entry will
+ be disallowed as long as one of the copies are still alive.
+
+ 4. For the setObjectToStringValue() method of Structure and StructureRareData, we
+ were previously passing a PropertySlot by copy. We don't really need to do
+ this. Ultimately, only StructureRareData::setObjectToStringValue() needs to
+ access a few of the PropertySlot query methods. So, we changed these methods
+ to pass a `const PropertySlot&` instead to void the needless copying.
+
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::JSCallbackObject<Parent>::put):
+ (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
+ * heap/HeapSnapshotBuilder.cpp:
+ (JSC::HeapSnapshotBuilder::json):
+ * inspector/JSInjectedScriptHost.cpp:
+ (Inspector::JSInjectedScriptHost::queryInstances):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/DisallowVMEntry.h:
+ (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl):
+ * runtime/ErrorInstance.cpp:
+ (JSC::ErrorInstance::sanitizedToString):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::getOwnNonIndexPropertyNames):
+ (JSC::JSFunction::put):
+ (JSC::JSFunction::defineOwnProperty):
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::constructGenericTypedArrayViewWithArguments):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::getGetterById):
+ (JSC::JSGlobalObject::defineOwnProperty):
+ (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::calculatedClassName):
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::getPrivateFieldSlot):
+ * runtime/JSScope.cpp:
+ (JSC::abstractAccess):
+ * runtime/PropertySlot.h:
+ (JSC::PropertySlot::PropertySlot):
+ * runtime/SamplingProfiler.cpp:
+ (JSC::SamplingProfiler::StackFrame::nameFromCallee):
+ * runtime/Structure.h:
+ * runtime/StructureInlines.h:
+ (JSC::Structure::setObjectToStringValue):
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::setObjectToStringValue):
+ * runtime/StructureRareData.h:
+ * tools/JSDollarVM.cpp:
+ (JSC::functionGetGetterSetter):
+
2020-07-22 Geoffrey Garen <gga...@apple.com>
JSRunLoopTimer should use WTF::RunLoop rather than custom CF code
Modified: trunk/Source/_javascript_Core/heap/HeapSnapshotBuilder.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/heap/HeapSnapshotBuilder.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/heap/HeapSnapshotBuilder.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -409,7 +409,7 @@
// "Object" in snapshots and not get the name of the prototype's parent.
JSObject* object = asObject(node.cell);
if (JSGlobalObject* globalObject = object->globalObject(vm)) {
- PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (!object->getOwnPropertySlot(object, globalObject, vm.propertyNames->constructor, slot))
className = JSObject::calculatedClassName(object);
}
Modified: trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -646,7 +646,7 @@
JSValue prototype = object;
- PropertySlot prototypeSlot(object, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot prototypeSlot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (object->getPropertySlot(globalObject, vm.propertyNames->prototype, prototypeSlot)) {
RETURN_IF_EXCEPTION(scope, { });
if (prototypeSlot.isValue()) {
@@ -657,6 +657,7 @@
}
}
}
+ prototypeSlot.disallowVMEntry.reset();
if (object->inherits<ProxyObject>(vm) || prototype.inherits<ProxyObject>(vm))
return throwTypeError(globalObject, scope, "queryInstances cannot be called with a Proxy."_s);
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1097,7 +1097,7 @@
JSGlobalLexicalEnvironment* globalLexicalEnvironment = jsCast<JSGlobalObject*>(variableObject)->globalLexicalEnvironment();
for (unsigned i = 0; i < numVariables; ++i) {
const Identifier& ident = unlinkedCodeBlock->variable(i);
- PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (JSGlobalLexicalEnvironment::getOwnPropertySlot(globalLexicalEnvironment, globalObject, ident, slot)) {
return checkedReturn(throwTypeError(globalObject, throwScope, makeString("Can't create duplicate global variable in eval: '", String(ident.impl()), "'")));
}
@@ -1105,7 +1105,7 @@
for (unsigned i = 0; i < numTopLevelFunctionDecls; ++i) {
FunctionExecutable* function = codeBlock->functionDecl(i);
- PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (JSGlobalLexicalEnvironment::getOwnPropertySlot(globalLexicalEnvironment, globalObject, function->name(), slot)) {
return checkedReturn(throwTypeError(globalObject, throwScope, makeString("Can't create duplicate global variable in eval: '", String(function->name().impl()), "'")));
}
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -174,7 +174,7 @@
stubInfo->tookSlowPath = true;
JSValue baseValue = JSValue::decode(base);
- PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
baseValue.getPropertySlot(globalObject, ident, slot);
return JSValue::encode(slot.getPureResult());
@@ -190,7 +190,7 @@
Identifier ident = Identifier::fromUid(vm, identifier.uid());
JSValue baseValue = JSValue::decode(base);
- PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
baseValue.getPropertySlot(globalObject, ident, slot);
return JSValue::encode(slot.getPureResult());
@@ -206,7 +206,7 @@
Identifier ident = Identifier::fromUid(vm, identifier.uid());
JSValue baseValue = JSValue::decode(base);
- PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
baseValue.getPropertySlot(globalObject, ident, slot);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -634,7 +634,7 @@
auto bytecode = pc->as<OpTryGetById>();
const Identifier& ident = codeBlock->identifier(bytecode.m_property);
JSValue baseValue = getOperand(callFrame, bytecode.m_base);
- PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry, &vm);
baseValue.getPropertySlot(globalObject, ident, slot);
JSValue result = slot.getPureResult();
Modified: trunk/Source/_javascript_Core/runtime/DisallowVMEntry.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/DisallowVMEntry.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/DisallowVMEntry.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -36,7 +36,6 @@
template<typename VMType = VM>
class DisallowVMEntryImpl {
- WTF_MAKE_NONCOPYABLE(DisallowVMEntryImpl);
public:
DisallowVMEntryImpl(VMType& vm)
: m_vm(&vm)
@@ -44,6 +43,12 @@
m_vm->disallowVMEntryCount++;
}
+ DisallowVMEntryImpl(const DisallowVMEntryImpl& other)
+ : m_vm(other.m_vm)
+ {
+ m_vm->disallowVMEntryCount++;
+ }
+
~DisallowVMEntryImpl()
{
RELEASE_ASSERT(m_vm->disallowVMEntryCount);
Modified: trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -139,7 +139,7 @@
JSValue nameValue;
auto namePropertName = vm.propertyNames->name;
- PropertySlot nameSlot(this, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot nameSlot(this, PropertySlot::InternalMethodType::VMInquiry, &vm);
JSValue currentObj = this;
unsigned prototypeDepth = 0;
@@ -167,7 +167,7 @@
JSValue messageValue;
auto messagePropertName = vm.propertyNames->message;
- PropertySlot messageSlot(this, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot messageSlot(this, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (JSObject::getOwnPropertySlot(this, globalObject, messagePropertName, messageSlot) && messageSlot.isValue())
messageValue = messageSlot.getValue(globalObject, messagePropertName);
scope.assertNoException();
Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2002 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2020 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwar...@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
* Copyright (C) 2015 Canon Inc. All rights reserved.
@@ -508,7 +508,7 @@
if (mode.includeDontEnumProperties()) {
if (!thisObject->isHostOrBuiltinFunction()) {
// Make sure prototype has been reified.
- PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, vm.propertyNames->prototype, slot);
RETURN_IF_EXCEPTION(scope, void());
@@ -563,11 +563,12 @@
slot.disableCaching();
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
- PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot);
RETURN_IF_EXCEPTION(scope, false);
if (FunctionRareData* rareData = thisObject->rareData())
rareData->clear("Store to prototype property of a function");
+ getSlot.disallowVMEntry.reset();
RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, propertyName, value, slot));
}
@@ -642,11 +643,12 @@
if (propertyName == vm.propertyNames->prototype) {
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
- PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, propertyName, slot);
RETURN_IF_EXCEPTION(scope, false);
if (FunctionRareData* rareData = thisObject->rareData())
rareData->clear("Store to prototype property of a function");
+ slot.disallowVMEntry.reset();
RELEASE_AND_RETURN(scope, Base::defineOwnProperty(object, globalObject, propertyName, descriptor, throwException));
}
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -156,9 +156,10 @@
else {
// This getPropertySlot operation should not be observed by the Proxy.
// So we use VMInquiry. And purge the opaque object cases (proxy and namespace object) by isTaintedByOpaqueObject() guard.
- PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
object->getPropertySlot(globalObject, vm.propertyNames->length, lengthSlot);
RETURN_IF_EXCEPTION(scope, nullptr);
+ lengthSlot.disallowVMEntry.reset();
JSValue iteratorFunc = object->get(globalObject, vm.propertyNames->iteratorSymbol);
RETURN_IF_EXCEPTION(scope, nullptr);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -506,8 +506,9 @@
static GetterSetter* getGetterById(JSGlobalObject* globalObject, JSObject* base, const Identifier& ident)
{
+ VM& vm = globalObject->vm();
JSValue baseValue = JSValue(base);
- PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
baseValue.getPropertySlot(globalObject, ident, slot);
return jsCast<GetterSetter*>(slot.getPureResult());
}
@@ -1394,11 +1395,13 @@
bool JSGlobalObject::defineOwnProperty(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, const PropertyDescriptor& descriptor, bool shouldThrow)
{
+ VM& vm = globalObject->vm();
JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
- PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
// silently ignore attempts to add accessors aliasing vars.
if (descriptor.isAccessorDescriptor() && symbolTableGet(thisObject, propertyName, slot))
return false;
+ slot.disallowVMEntry.reset();
return Base::defineOwnProperty(thisObject, globalObject, propertyName, descriptor, shouldThrow);
}
@@ -2065,7 +2068,7 @@
m_arraySpeciesWatchpointSet.invalidate(vm, StringFireDetail("Was not able to set up array species watchpoint."));
};
- PropertySlot constructorSlot(arrayPrototype, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot constructorSlot(arrayPrototype, PropertySlot::InternalMethodType::VMInquiry, &vm);
arrayPrototype->getOwnPropertySlot(arrayPrototype, this, vm.propertyNames->constructor, constructorSlot);
scope.assertNoException();
if (constructorSlot.slotBase() != arrayPrototype
@@ -2079,7 +2082,7 @@
if (constructorStructure->isDictionary())
constructorStructure = constructorStructure->flattenDictionaryStructure(vm, arrayConstructor);
- PropertySlot speciesSlot(arrayConstructor, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot speciesSlot(arrayConstructor, PropertySlot::InternalMethodType::VMInquiry, &vm);
arrayConstructor->getOwnPropertySlot(arrayConstructor, this, vm.propertyNames->speciesSymbol, speciesSlot);
scope.assertNoException();
if (speciesSlot.slotBase() != arrayConstructor
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2020 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel (e...@webkit.org)
*
* This library is free software; you can redistribute it and/or
@@ -534,7 +534,7 @@
// Check for a display name of obj.constructor.
// This is useful to get `Foo` for the `(class Foo).prototype` object.
- PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (object->getOwnPropertySlot(object, globalObject, vm.propertyNames->constructor, slot)) {
EXCEPTION_ASSERT(!scope.exception());
if (slot.isValue()) {
@@ -558,7 +558,7 @@
JSValue protoValue = object->getPrototypeDirect(vm);
if (protoValue.isObject()) {
JSObject* protoObject = asObject(protoValue);
- PropertySlot slot(protoValue, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(protoValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
if (protoObject->getPropertySlot(globalObject, vm.propertyNames->constructor, slot)) {
EXCEPTION_ASSERT(!scope.exception());
if (slot.isValue()) {
Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -584,6 +584,7 @@
return false;
JSValue value = object->getDirect(offset);
+#if ASSERT_ENABLED
ASSERT(value);
if (value.isCell()) {
JSCell* cell = value.asCell();
@@ -594,6 +595,7 @@
// as in JSObject::getOwnNonIndexPropertySlot()
// https://bugs.webkit.org/show_bug.cgi?id=194435
}
+#endif
slot.setValue(object, attributes, value, offset);
return true;
Modified: trunk/Source/_javascript_Core/runtime/JSScope.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/JSScope.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/JSScope.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2012-2020 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -152,8 +152,9 @@
}
}
- PropertySlot slot(globalObject, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(globalObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
bool hasOwnProperty = globalObject->getOwnPropertySlot(globalObject, globalObject, ident, slot);
+ slot.disallowVMEntry.reset();
if (!hasOwnProperty) {
op = ResolveOp(makeType(UnresolvedProperty, needsVarInjectionChecks), 0, nullptr, nullptr, nullptr, 0);
return true;
Modified: trunk/Source/_javascript_Core/runtime/PropertySlot.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/PropertySlot.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/PropertySlot.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -21,6 +21,7 @@
#pragma once
#include "DOMAnnotation.h"
+#include "DisallowVMEntry.h"
#include "GetVM.h"
#include "JSCJSValue.h"
#include "PropertyName.h"
@@ -112,10 +113,12 @@
ModuleNamespace, // ModuleNamespaceObject's environment access.
};
- explicit PropertySlot(const JSValue thisValue, InternalMethodType internalMethodType)
+ explicit PropertySlot(const JSValue thisValue, InternalMethodType internalMethodType, VM* vmForInquiry = nullptr)
: m_thisValue(thisValue)
, m_internalMethodType(internalMethodType)
{
+ if (isVMInquiry())
+ disallowVMEntry.emplace(*vmForInquiry);
}
// FIXME: Remove this slotBase / receiver behavior difference in custom values and custom accessors.
@@ -399,6 +402,9 @@
InternalMethodType m_internalMethodType;
AdditionalDataType m_additionalDataType { AdditionalDataType::None };
bool m_isTaintedByOpaqueObject { false };
+public:
+ Optional<DisallowVMEntry> disallowVMEntry;
+private:
union {
DOMAttributeAnnotation domAttribute;
ModuleNamespaceSlot moduleNamespaceSlot;
Modified: trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -728,7 +728,7 @@
auto scope = DECLARE_CATCH_SCOPE(vm);
JSGlobalObject* globalObject = callee->globalObject(vm);
auto getPropertyIfPureOperation = [&] (const Identifier& ident) -> String {
- PropertySlot slot(callee, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(callee, PropertySlot::InternalMethodType::VMInquiry, &vm);
PropertyName propertyName(ident);
bool hasProperty = callee->getPropertySlot(globalObject, propertyName, slot);
scope.assertNoException();
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -536,7 +536,7 @@
return rareData()->objectToStringValue();
}
- void setObjectToStringValue(JSGlobalObject*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
+ void setObjectToStringValue(JSGlobalObject*, VM&, JSString* value, const PropertySlot& toStringTagSymbolSlot);
const ClassInfo* classInfo() const { return m_classInfo; }
Modified: trunk/Source/_javascript_Core/runtime/StructureInlines.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/StructureInlines.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/StructureInlines.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -427,7 +427,7 @@
return currentCapacity * outOfLineGrowthFactor;
}
-inline void Structure::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, JSString* value, PropertySlot toStringTagSymbolSlot)
+inline void Structure::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, JSString* value, const PropertySlot& toStringTagSymbolSlot)
{
if (!hasRareData())
allocateRareData(vm);
Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -95,7 +95,7 @@
StructureRareData* m_structureRareData;
};
-void StructureRareData::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, Structure* ownStructure, JSString* value, PropertySlot toStringTagSymbolSlot)
+void StructureRareData::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, Structure* ownStructure, JSString* value, const PropertySlot& toStringTagSymbolSlot)
{
if (canCacheObjectToStringValue())
return;
Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.h (264735 => 264736)
--- trunk/Source/_javascript_Core/runtime/StructureRareData.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/runtime/StructureRareData.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -66,7 +66,7 @@
void clearPreviousID();
JSString* objectToStringValue() const;
- void setObjectToStringValue(JSGlobalObject*, VM&, Structure* baseStructure, JSString* value, PropertySlot toStringTagSymbolSlot);
+ void setObjectToStringValue(JSGlobalObject*, VM&, Structure* baseStructure, JSString* value, const PropertySlot& toStringTagSymbolSlot);
void giveUpOnObjectToStringValueCache() { m_objectToStringValue.setWithoutWriteBarrier(objectToStringCacheGiveUpMarker()); }
bool canCacheObjectToStringValue() { return m_objectToStringValue.unvalidatedGet() == objectToStringCacheGiveUpMarker(); }
static JSString* objectToStringCacheGiveUpMarker() { return bitwise_cast<JSString*>(static_cast<uintptr_t>(1)); }
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (264735 => 264736)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -2895,7 +2895,7 @@
auto propertyName = asString(property)->toIdentifier(globalObject);
RETURN_IF_EXCEPTION(scope, { });
- PropertySlot slot(value, PropertySlot::InternalMethodType::VMInquiry);
+ PropertySlot slot(value, PropertySlot::InternalMethodType::VMInquiry, &vm);
value.getPropertySlot(globalObject, propertyName, slot);
RETURN_IF_EXCEPTION(scope, { });
Modified: trunk/Source/WebCore/ChangeLog (264735 => 264736)
--- trunk/Source/WebCore/ChangeLog 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/ChangeLog 2020-07-23 00:08:50 UTC (rev 264736)
@@ -1,3 +1,59 @@
+2020-07-21 Mark Lam <mark....@apple.com>
+
+ Disallow VM entry when doing a VMInquiry.
+ https://bugs.webkit.org/show_bug.cgi?id=214624
+ <rdar://problem/65915314>
+
+ Reviewed by Saam Barati.
+
+ 1. Change binding to reset the DisallowVMEntry scope in PropertySlot after doing
+ a VMInquiry.
+ 2. Rebase bindings test results to match.
+
+ * bindings/js/JSDOMAbstractOperations.h:
+ (WebCore::isVisibleNamedProperty):
+ (WebCore::accessVisibleNamedProperty):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GeneratePut):
+ (GeneratePutByIndex):
+ (GenerateDefineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp:
+ (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::put):
+ (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::putByIndex):
+ (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp:
+ (WebCore::JSTestNamedAndIndexedSetterThrowingException::put):
+ (WebCore::JSTestNamedAndIndexedSetterThrowingException::putByIndex):
+ (WebCore::JSTestNamedAndIndexedSetterThrowingException::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp:
+ (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::put):
+ (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::putByIndex):
+ (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp:
+ (WebCore::JSTestNamedSetterNoIdentifier::put):
+ (WebCore::JSTestNamedSetterNoIdentifier::putByIndex):
+ (WebCore::JSTestNamedSetterNoIdentifier::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp:
+ (WebCore::JSTestNamedSetterThrowingException::put):
+ (WebCore::JSTestNamedSetterThrowingException::putByIndex):
+ (WebCore::JSTestNamedSetterThrowingException::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp:
+ (WebCore::JSTestNamedSetterWithIdentifier::put):
+ (WebCore::JSTestNamedSetterWithIdentifier::putByIndex):
+ (WebCore::JSTestNamedSetterWithIdentifier::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp:
+ (WebCore::JSTestNamedSetterWithIndexedGetter::put):
+ (WebCore::JSTestNamedSetterWithIndexedGetter::putByIndex):
+ (WebCore::JSTestNamedSetterWithIndexedGetter::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp:
+ (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::put):
+ (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::putByIndex):
+ (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::defineOwnProperty):
+ * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp:
+ (WebCore::JSTestNamedSetterWithUnforgableProperties::put):
+ (WebCore::JSTestNamedSetterWithUnforgableProperties::putByIndex):
+ (WebCore::JSTestNamedSetterWithUnforgableProperties::defineOwnProperty):
+
2020-07-22 Eric Carlson <eric.carl...@apple.com>
[Cocoa] canPlayType with 'codecs' parameter should never return "maybe"
Modified: trunk/Source/WebCore/bindings/js/JSDOMAbstractOperations.h (264735 => 264736)
--- trunk/Source/WebCore/bindings/js/JSDOMAbstractOperations.h 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/js/JSDOMAbstractOperations.h 2020-07-23 00:08:50 UTC (rev 264736)
@@ -59,7 +59,7 @@
return false;
// 2. If O has an own property named P, then return false.
- JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry };
+ JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject.vm() };
if (JSC::JSObject::getOwnPropertySlot(&thisObject, &lexicalGlobalObject, propertyName, slot))
return false;
@@ -99,7 +99,7 @@
return WTF::nullopt;
// 2. If O has an own property named P, then return false.
- JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry };
+ JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject.vm() };
if (JSC::JSObject::getOwnPropertySlot(&thisObject, &lexicalGlobalObject, propertyName, slot))
return WTF::nullopt;
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2020-07-23 00:08:50 UTC (rev 264736)
@@ -965,9 +965,11 @@
my $overrideBuiltins = $codeGenerator->InheritsExtendedAttribute($interface, "OverrideBuiltins");
if (!$overrideBuiltins) {
- push(@$outputArray, " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
+ push(@$outputArray, " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };\n");
push(@$outputArray, " JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));\n");
- push(@$outputArray, " if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {\n");
+ push(@$outputArray, " bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);\n");
+ push(@$outputArray, " slot.disallowVMEntry.reset();\n");
+ push(@$outputArray, " if (!found) {\n");
$additionalIndent .= " ";
}
@@ -1041,9 +1043,11 @@
my $additionalIndent = "";
if (!$overrideBuiltins) {
- push(@$outputArray, " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
+ push(@$outputArray, " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };\n");
push(@$outputArray, " JSValue prototype = thisObject->getPrototypeDirect(vm);\n");
- push(@$outputArray, " if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {\n");
+ push(@$outputArray, " bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);\n");
+ push(@$outputArray, " slot.disallowVMEntry.reset();\n");
+ push(@$outputArray, " if (!found) {\n");
$additionalIndent .= " ";
}
@@ -1176,8 +1180,10 @@
# FIXME: Is JSObject::getOwnPropertySlot the right function to call? Is there a function that will
# only look at the actual properties, and not call into our implementation of the
# [[GetOwnProperty]] hook?
- push(@$outputArray, $additionalIndent. " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
- push(@$outputArray, $additionalIndent. " if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {\n");
+ push(@$outputArray, $additionalIndent. " PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };\n");
+ push(@$outputArray, $additionalIndent. " bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);\n");
+ push(@$outputArray, $additionalIndent. " slot.disallowVMEntry.reset();\n");
+ push(@$outputArray, $additionalIndent. " if (!found) {\n");
$additionalIndent .= " ";
}
if (!$namedSetterOperation) {
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -234,9 +234,11 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -263,9 +265,11 @@
}
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -292,8 +296,10 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -234,9 +234,11 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -263,9 +265,11 @@
}
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -292,8 +296,10 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -243,9 +243,11 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -272,9 +274,11 @@
}
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -301,8 +305,10 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -207,9 +207,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -228,9 +230,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -247,8 +251,10 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -207,9 +207,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -228,9 +230,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -247,8 +251,10 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -213,9 +213,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -234,9 +236,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -253,8 +257,10 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -235,9 +235,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -256,9 +258,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -278,8 +282,10 @@
return false;
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -243,9 +243,11 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -272,9 +274,11 @@
}
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -301,8 +305,10 @@
}
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp (264735 => 264736)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp 2020-07-22 23:57:55 UTC (rev 264735)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp 2020-07-23 00:08:50 UTC (rev 264736)
@@ -231,9 +231,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
if (!propertyName.isSymbol()) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -252,9 +254,11 @@
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
auto propertyName = Identifier::from(vm, index);
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
JSValue prototype = thisObject->getPrototypeDirect(vm);
- if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
+ bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
RETURN_IF_EXCEPTION(throwScope, true);
@@ -277,8 +281,10 @@
}
if (!isUnforgeablePropertyName(propertyName)) {
- PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
- if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
+ PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
+ bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
+ slot.disallowVMEntry.reset();
+ if (!found) {
if (!propertyDescriptor.isDataDescriptor())
return false;
auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
