WebCore

commit-queue Tue, 22 Mar 2022 13:25:12 -0700

Title: [291694] trunk/Source/WebCore

Revision: 291694
Author: commit-qu...@webkit.org
Date: 2022-03-22 13:24:19 -0700 (Tue, 22 Mar 2022)

Log Message

REGRESSION(r288307): instanceof value wrong in MutationObserver callback for Safari extensions
https://bugs.webkit.org/show_bug.cgi?id=237912
<rdar://90333276>


Patch by Alexey Shvayka <ashva...@apple.com> on 2022-03-22
Reviewed by Saam Barati.

ScriptExecutionContext::globalObject() returns stray global object if called on an object
that was created inside a Safari extension. I am unsure whether this is a bug, and if so,
how to promptly fix it, so this patch changes the way callback functions / interfaces
resolve lexical global object, which is used to create DOM wrappers.

Now they rely only on their JSCallbackData, which was proven to return correct
global object for Safari extensions.

For [IsWeakCallback] interfaces, liveness of the callback object is guaranteed
by the canInvokeCallback() check above.

No new tests: Safari extensions are covered in internal repo.

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateCallbackImplementationContent):
* bindings/scripts/test/JS/*: Updated.

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (291693 => 291694)


--- trunk/Source/WebCore/ChangeLog	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/ChangeLog	2022-03-22 20:24:19 UTC (rev 291694)
@@ -1,3 +1,28 @@
+2022-03-22  Alexey Shvayka  <ashva...@apple.com>
+
+        REGRESSION(r288307): instanceof value wrong in MutationObserver callback for Safari extensions
+        https://bugs.webkit.org/show_bug.cgi?id=237912
+        <rdar://90333276>
+
+        Reviewed by Saam Barati.
+
+        ScriptExecutionContext::globalObject() returns stray global object if called on an object
+        that was created inside a Safari extension. I am unsure whether this is a bug, and if so,
+        how to promptly fix it, so this patch changes the way callback functions / interfaces
+        resolve lexical global object, which is used to create DOM wrappers.
+
+        Now they rely only on their JSCallbackData, which was proven to return correct
+        global object for Safari extensions.
+
+        For [IsWeakCallback] interfaces, liveness of the callback object is guaranteed
+        by the canInvokeCallback() check above.
+
+        No new tests: Safari extensions are covered in internal repo.
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateCallbackImplementationContent):
+        * bindings/scripts/test/JS/*: Updated.
+
 2022-03-22  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, reverting r291546.

Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	2022-03-22 20:24:19 UTC (rev 291694)
@@ -6603,7 +6603,7 @@
             push(@$contentRef, "        return CallbackResultType::UnableToExecute;\n\n");
 
             push(@$contentRef, "    Ref<$className> protectedThis(*this);\n\n");
-            push(@$contentRef, "    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());\n");
+            push(@$contentRef, "    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());\n");
             push(@$contentRef, "    auto& vm = globalObject.vm();\n\n");
             push(@$contentRef, "    JSLockHolder lock(vm);\n");

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -57,7 +57,7 @@
 
     Ref<JSTestCallbackFunction> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -60,7 +60,7 @@
 
     Ref<JSTestCallbackFunctionRethrow> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -61,7 +61,7 @@
 
     Ref<JSTestCallbackFunctionWithThisObject> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -61,7 +61,7 @@
 
     Ref<JSTestCallbackFunctionWithTypedefs> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -183,7 +183,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -209,7 +209,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -236,7 +236,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -264,7 +264,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -291,7 +291,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -318,7 +318,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -346,7 +346,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -375,7 +375,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);
@@ -406,7 +406,7 @@
 
     Ref<JSTestCallbackInterface> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp (291693 => 291694)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp	2022-03-22 20:17:25 UTC (rev 291693)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp	2022-03-22 20:24:19 UTC (rev 291694)
@@ -68,7 +68,7 @@
 
     Ref<JSTestVoidCallbackFunction> protectedThis(*this);
 
-    auto& globalObject = *jsCast<JSDOMGlobalObject*>(scriptExecutionContext()->globalObject());
+    auto& globalObject = *jsCast<JSDOMGlobalObject*>(m_data->callback()->globalObject());
     auto& vm = globalObject.vm();
 
     JSLockHolder lock(vm);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [291694] trunk/Source/WebCore

Log Message

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp (291693 => 291694)

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp (291693 => 291694)

Reply via email to