Changeset 212085 in webkit

Timestamp:

Feb 10, 2017 12:15:47 AM (7 years ago)

Author:

matthew_hanson@apple.com

Message:

Merge r212009. rdar://problem/29939864

Location:

branches/safari-603-branch

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/caller-native-code.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (2 diffs)

branches/safari-603-branch/JSTests/ChangeLog

@@ +1 @@
+2017-02-09  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r212009. rdar://problem/29939864
+
+    2017-02-09  Keith Miller  <keith_miller@apple.com>
+
+            We should not allow Function.caller to be used on native functions
+            https://bugs.webkit.org/show_bug.cgi?id=165628
+
+            Reviewed by Mark Lam.
+
+            * stress/caller-native-code.js: Added.
+            (f):
+
 2017-01-27  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-603-branch/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-02-09  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r212009. rdar://problem/29939864
+
+    2017-02-09  Keith Miller  <keith_miller@apple.com>
+
+            We should not allow Function.caller to be used on native functions
+            https://bugs.webkit.org/show_bug.cgi?id=165628
+
+            Reviewed by Mark Lam.
+
+            Also remove unneeded dynamic cast.
+
+            * runtime/JSFunction.cpp:
+            (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
+            (JSC::JSFunction::callerGetter):
+
 2017-02-09  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-603-branch/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2009, 2015-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2009, 2015-2017 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -322 +322 @@
     // See ES5.1 15.3.5.4 - Function.caller may not be used to retrieve a strict caller.
     if (!caller.isObject() || !asObject(caller)->inherits(JSFunction::info())) {
-        // It isn't a JSFunction, but if it is a JSCallee from a program or call eval, return null.
+        // It isn't a JSFunction, but if it is a JSCallee from a program or eval call or an internal constructor, return null.
         if (jsDynamicCast<JSCallee*>(caller))
+        if (jsDynamicCast<JSCallee*>(caller) || jsDynamicCast<InternalFunction*>(caller))
             return JSValue::encode(jsNull());
         return JSValue::encode(caller);
     }
     JSFunction* function = jsCast<JSFunction*>(caller);
-    if (function->isHostOrBuiltinFunction() || !function->jsExecutable()->isStrictMode())
+
+    // Firefox returns null for native code callers, so we match that behavior.
+    if (function->isHostOrBuiltinFunction())
+        return JSValue::encode(jsNull());
+    if (!function->jsExecutable()->isStrictMode())
         return JSValue::encode(caller);
     return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Function.caller used to retrieve strict caller")));