Context Navigation

← Previous Changeset
Next Changeset →

Changeset 273661 in webkit

Timestamp:

Mar 1, 2021 11:21:41 AM (17 months ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Throw TypeError when getFunctionRealm hits revoked Proxy
https://bugs.webkit.org/show_bug.cgi?id=222523

Reviewed by Alexey Shvayka.

JSTests:

test262/expectations.yaml:

Source/JavaScriptCore:

This patch throws TypeError when getFunctionRealm encounters revoked Proxy. However,
this makes derived structure creation code difficult to be written inlinely.
The fast path of derived structure creation must be inlined since this is critical
path of every builtin constructors.

So, this patch introduces JSC_GET_DERIVED_STRUCTURE macro which streamlines the derived
structure creation code while keeping the fast path inlined. And it inserts appropriate
error checks after this new getFunctionRealm call.

Then, we appropriately use getFunctionRealm in op_create_this implementation.

dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

runtime/AggregateErrorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/BooleanConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/CommonSlowPaths.cpp:

(JSC::JSC_DEFINE_COMMON_SLOW_PATH):

runtime/DateConstructor.cpp:

(JSC::constructDate):

runtime/ErrorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/FinalizationRegistryConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

runtime/InternalFunction.cpp:

(JSC::getFunctionRealm):

runtime/InternalFunction.h:
runtime/IntlCollatorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlDateTimeFormatConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlDisplayNamesConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlListFormatConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlLocaleConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlNumberFormatConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlPluralRulesConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlRelativeTimeFormatConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/IntlSegmenterConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/JSArrayBufferConstructor.cpp:

(JSC::JSGenericArrayBufferConstructor<sharingMode>::constructImpl):

runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructCustomArrayBufferIfNeeded):
(JSC::constructGenericTypedArrayViewImpl):

runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::errorStructureWithErrorType const):
(JSC::JSGlobalObject::arrayBufferStructureWithSharingMode const):
(JSC::JSGlobalObject::typedArrayStructureWithTypedArrayType const):

runtime/JSGlobalObjectInlines.h:

(JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):

runtime/MapConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/NativeErrorConstructor.cpp:

(JSC::NativeErrorConstructor<errorType>::constructImpl):

runtime/NumberConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/ObjectConstructor.cpp:

(JSC::constructObjectWithNewTarget):

runtime/ProxyConstructor.cpp:

(JSC::ProxyConstructor::create):
(JSC::ProxyConstructor::finishCreation):

runtime/ProxyConstructor.h:
runtime/RegExpConstructor.cpp:

(JSC::getRegExpStructure):

runtime/SetConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/StringConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/WeakMapConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/WeakObjectRefConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

runtime/WeakSetConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyCompileErrorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyGlobalConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyInstanceConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyLinkErrorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyMemoryConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyModuleConstructor.cpp:

(JSC::WebAssemblyModuleConstructor::createModule):

wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

wasm/js/WebAssemblyTableConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

Source/WebCore:

bindings/js/JSDOMWrapperCache.h:

(WebCore::setSubclassStructureIfNeeded):

bindings/js/JSHTMLElementCustom.cpp:

(WebCore::constructJSHTMLElement):

Location:

trunk

Files:

: 49 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/test262/expectations.yaml (modified) (1 diff)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (3 diffs)
Source/JavaScriptCore/runtime/AggregateErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/BooleanConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/DateConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/ErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/FinalizationRegistryConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/FunctionConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/InternalFunction.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/InternalFunction.h (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlDisplayNamesConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlListFormatConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlLocaleConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/IntlSegmenterConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (2 diffs)
Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)
Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h (modified) (1 diff)
Source/JavaScriptCore/runtime/MapConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/NumberConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/ProxyConstructor.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/ProxyConstructor.h (modified) (1 diff)
Source/JavaScriptCore/runtime/RegExpConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/SetConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/StringConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/WeakMapConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/WeakObjectRefConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/WeakSetConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyGlobalConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorConstructor.cpp (modified) (1 diff)
Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp (modified) (1 diff)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/bindings/js/JSDOMWrapperCache.h (modified) (1 diff)
Source/WebCore/bindings/js/JSHTMLElementCustom.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r273641
+                      r273661
+-03-01  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] Throw TypeError when getFunctionRealm hits revoked Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=222523
+        Reviewed by Alexey Shvayka.
+        * test262/expectations.yaml:
 -02-28  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/JSTests/test262/expectations.yaml

-                      r273634
+                      r273661
   default: 'Test262Error: Expected a TypeError but got a TypeError'
   strict mode: 'Test262Error: Expected a TypeError but got a TypeError'
-test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
 test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
   default: 'Test262Error: Expected a TypeError but got a TypeError'

trunk/Source/JavaScriptCore/ChangeLog

-                      r273649
+                      r273661
+-03-01  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] Throw TypeError when getFunctionRealm hits revoked Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=222523
+        Reviewed by Alexey Shvayka.
+        This patch throws TypeError when getFunctionRealm encounters revoked Proxy. However,
+        this makes derived structure creation code difficult to be written inlinely.
+        The fast path of derived structure creation must be inlined since this is critical
+        path of every builtin constructors.
+        So, this patch introduces JSC_GET_DERIVED_STRUCTURE macro which streamlines the derived
+        structure creation code while keeping the fast path inlined. And it inserts appropriate
+        error checks after this new getFunctionRealm call.
+        Then, we appropriately use getFunctionRealm in op_create_this implementation.
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+        * runtime/AggregateErrorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/FinalizationRegistryConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/InternalFunction.cpp:
+        (JSC::getFunctionRealm):
+        * runtime/InternalFunction.h:
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlDisplayNamesConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlListFormatConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlLocaleConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlRelativeTimeFormatConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/IntlSegmenterConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructImpl):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructCustomArrayBufferIfNeeded):
+        (JSC::constructGenericTypedArrayViewImpl):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::errorStructureWithErrorType const):
+        (JSC::JSGlobalObject::arrayBufferStructureWithSharingMode const):
+        (JSC::JSGlobalObject::typedArrayStructureWithTypedArrayType const):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
+        * runtime/MapConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor<errorType>::constructImpl):
+        * runtime/NumberConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::constructObjectWithNewTarget):
+        * runtime/ProxyConstructor.cpp:
+        (JSC::ProxyConstructor::create):
+        (JSC::ProxyConstructor::finishCreation):
+        * runtime/ProxyConstructor.h:
+        * runtime/RegExpConstructor.cpp:
+        (JSC::getRegExpStructure):
+        * runtime/SetConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/StringConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/WeakObjectRefConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyGlobalConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
 -03-01  Alexey Shvayka  <shvaikalesh@gmail.com>

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

-                      r272938
+                      r273661
     if (proto.isObject())
         return constructEmptyObject(globalObject, asObject(proto));
+    return constructEmptyObject(globalObject);
+    JSGlobalObject* functionGlobalObject = getFunctionRealm(globalObject, constructor);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    return constructEmptyObject(functionGlobalObject);
+}
 …
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
+    Structure* structure = constructor == globalObject->promiseConstructor()
+        ? globalObject->promiseStructure()
+        : InternalFunction::createSubclassStructure(globalObject, constructor, getFunctionRealm(vm, constructor)->promiseStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, promiseStructure, constructor, globalObject->promiseConstructor());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSPromise::create(vm, structure));
 …
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
+    Structure* structure = constructor == globalObject->internalPromiseConstructor()
+        ? globalObject->internalPromiseStructure()
+        : InternalFunction::createSubclassStructure(globalObject, constructor, getFunctionRealm(vm, constructor)->internalPromiseStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, internalPromiseStructure, constructor, globalObject->internalPromiseConstructor());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSInternalPromise::create(vm, structure));

trunk/Source/JavaScriptCore/runtime/AggregateErrorConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure(ErrorType::AggregateError)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure(ErrorType::AggregateError));
+    Structure* errorStructure = JSC_GET_DERIVED_STRUCTURE(vm, errorStructureWithErrorType<ErrorType::AggregateError>, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });
     ASSERT(errorStructure);

trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* booleanStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->booleanObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->booleanObjectStructure());
+    Structure* booleanStructure = JSC_GET_DERIVED_STRUCTURE(vm, booleanObjectStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

-                      r273217
+                      r273661
+        }
     } else {
         // http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor
+        // https://tc39.es/ecma262/#sec-getprototypefromconstructor
         JSValue proto = constructorAsObject->get(globalObject, vm.propertyNames->prototype);
         CHECK_EXCEPTION();
         if (proto.isObject())
             result = constructEmptyObject(globalObject, asObject(proto));
+        else
+            result = constructEmptyObject(globalObject);
+        else {
+            JSGlobalObject* functionGlobalObject = getFunctionRealm(globalObject, constructorAsObject);
+            CHECK_EXCEPTION();
+            result = constructEmptyObject(functionGlobalObject);
+        }
+    }
     RETURN(result);
 …
     JSPromise* result = nullptr;
     if (bytecode.m_isInternalPromise) {
+        Structure* structure = constructorAsObject == globalObject->internalPromiseConstructor()
+            ? globalObject->internalPromiseStructure()
+            : InternalFunction::createSubclassStructure(globalObject, constructorAsObject, getFunctionRealm(vm, constructorAsObject)->internalPromiseStructure());
+        Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, internalPromiseStructure, constructorAsObject, globalObject->internalPromiseConstructor());
         CHECK_EXCEPTION();
         result = JSInternalPromise::create(vm, structure);
     } else {
+        Structure* structure = constructorAsObject == globalObject->promiseConstructor()
+            ? globalObject->promiseStructure()
+            : InternalFunction::createSubclassStructure(globalObject, constructorAsObject, getFunctionRealm(vm, constructorAsObject)->promiseStructure());
+        Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, promiseStructure, constructorAsObject, globalObject->promiseConstructor());
         CHECK_EXCEPTION();
         result = JSPromise::create(vm, structure);

trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp

-                      r270861
+                      r273661
     RETURN_IF_EXCEPTION(scope, nullptr);
+    Structure* dateStructure = !newTarget || newTarget == globalObject->dateConstructor()
+        ? globalObject->dateStructure()
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(vm, asObject(newTarget))->dateStructure());
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    Structure* dateStructure = nullptr;
+    if (!newTarget)
+        dateStructure = globalObject->dateStructure();
+    else {
+        dateStructure = JSC_GET_DERIVED_STRUCTURE(vm, dateStructure, asObject(newTarget), globalObject->dateConstructor());
+        RETURN_IF_EXCEPTION(scope, nullptr);
+    }
     return DateInstance::create(vm, dateStructure, value);

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp

-                      r273203
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure());
+    Structure* errorStructure = JSC_GET_DERIVED_STRUCTURE(vm, errorStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/FinalizationRegistryConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* finalizationRegistryStructure = callFrame->jsCallee() == newTarget
+        ? globalObject->finalizationRegistryStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->finalizationRegistryStructure());
+    Structure* finalizationRegistryStructure = JSC_GET_DERIVED_STRUCTURE(vm, finalizationRegistryStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
     RELEASE_AND_RETURN(scope, JSValue::encode(JSFinalizationRegistry::create(vm, finalizationRegistryStructure, callFrame->uncheckedArgument(0).getObject())));

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

-                      r267594
+                      r273661
+    }
+    JSGlobalObject* structureGlobalObject = globalObject;
     bool needsSubclassStructure = newTarget && newTarget != globalObject->functionConstructor();
+    JSGlobalObject* structureGlobalObject = needsSubclassStructure ? getFunctionRealm(vm, asObject(newTarget)) : globalObject;
+    if (needsSubclassStructure) {
+        structureGlobalObject = getFunctionRealm(globalObject, asObject(newTarget));
+        RETURN_IF_EXCEPTION(scope, nullptr);
+    }
     Structure* structure = nullptr;
     switch (functionConstructionMode) {

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

-                      r273138
+                      r273661
 // https://tc39.es/ecma262/#sec-getfunctionrealm
+JSGlobalObject* getFunctionRealm(VM& vm, JSObject* object)
+{
+JSGlobalObject* getFunctionRealm(JSGlobalObject* globalObject, JSObject* object)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     ASSERT(object->isCallable(vm));
 …
         if (object->type() == ProxyObjectType) {
             auto* proxy = jsCast<ProxyObject*>(object);
+            // Per step 4.a, a TypeError should be thrown for revoked Proxy, yet we skip it since:
+            // a) It is barely observable anyway: "prototype" lookup in createSubclassStructure() will throw for revoked Proxy.
+            // b) Throwing getFunctionRealm() will restrict calling it inline as an argument of createSubclassStructure().
+            // c) There is ongoing discussion on removing it: https://github.com/tc39/ecma262/issues/1798.
+            if (!proxy->isRevoked()) {
+                object = proxy->target();
+                continue;
+            if (proxy->isRevoked()) {
+                throwTypeError(globalObject, scope, "Cannot get function realm from revoked Proxy"_s);
+                return nullptr;
+            }
+            object = proxy->target();
+            continue;
+        }

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

-                      r273138
+                      r273661
 };
+JS_EXPORT_PRIVATE JSGlobalObject* getFunctionRealm(VM&, JSObject*);
+JS_EXPORT_PRIVATE JSGlobalObject* getFunctionRealm(JSGlobalObject*, JSObject*);
+#define JSC_GET_DERIVED_STRUCTURE(vm, structureMemberFunctionName, newTarget, constructor) \
+    ((newTarget) == (constructor) \
+        ? globalObject->structureMemberFunctionName() \
+        : ([&]() -> Structure* { \
+            auto scope = DECLARE_THROW_SCOPE((vm)); \
+            auto* functionGlobalObject = getFunctionRealm(globalObject, (newTarget)); \
+            RETURN_IF_EXCEPTION(scope, nullptr); \
+            RELEASE_AND_RETURN(scope, InternalFunction::createSubclassStructure(globalObject, (newTarget), functionGlobalObject->structureMemberFunctionName())); \
+        }()))
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp

-                      r267594
+                      r273661
     // 3. ReturnIfAbrupt(collator).
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->collatorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->collatorStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, collatorStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp

-                      r267594
+                      r273661
     // 3. ReturnIfAbrupt(dateTimeFormat).
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->dateTimeFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->dateTimeFormatStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, dateTimeFormatStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlDisplayNamesConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->displayNamesStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->displayNamesStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, displayNamesStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlListFormatConstructor.cpp

-                      r268956
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->listFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->listFormatStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, listFormatStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlLocaleConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->localeStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->localeStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, localeStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp

-                      r267594
+                      r273661
     // 3. ReturnIfAbrupt(numberFormat).
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->numberFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->numberFormatStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, numberFormatStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.cpp

-                      r267594
+                      r273661
     // https://tc39.github.io/ecma402/#sec-intl.pluralrules
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->pluralRulesStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->pluralRulesStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, pluralRulesStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->relativeTimeFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->relativeTimeFormatStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, relativeTimeFormatStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/IntlSegmenterConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->segmenterStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->segmenterStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, segmenterStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp

-                      r270552
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* arrayBufferStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->arrayBufferStructure(sharingMode)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->arrayBufferStructure(sharingMode));
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, arrayBufferStructureWithSharingMode<sharingMode>, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });
 …
     ASSERT(sharingMode == buffer->sharingMode());
     JSArrayBuffer* result = JSArrayBuffer::create(vm, arrayBufferStructure, WTFMove(buffer));
+    JSArrayBuffer* result = JSArrayBuffer::create(vm, structure, WTFMove(buffer));
     return JSValue::encode(result);
+}

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

-                      r272170
+                      r273661
+    }
+    auto result = JSArrayBuffer::create(vm, getFunctionRealm(vm, asObject(species.value()))->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer));
+    JSGlobalObject* functionGlobalObject = getFunctionRealm(globalObject, asObject(species.value()));
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    auto result = JSArrayBuffer::create(vm, functionGlobalObject->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer));
     if (prototype.isObject())
         result->setPrototypeDirect(vm, prototype);
 …
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->typedArrayStructure(ViewClass::TypedArrayStorageType)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->typedArrayStructure(ViewClass::TypedArrayStorageType));
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, typedArrayStructureWithTypedArrayType<ViewClass::TypedArrayStorageType>, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

r273225	r273661
787	787	return nullptr;
788	788	}
	789	template<ErrorType errorType> Structure* errorStructureWithErrorType() const { return errorStructure(errorType); }
	790
789	791	Structure* calleeStructure() const { return m_calleeStructure.get(); }
790	792	Structure* hostFunctionStructure() const { return m_hostFunctionStructure.get(); }
…	…
916	918	return nullptr;
917	919	}
	920	template<ArrayBufferSharingMode sharingMode> Structure* arrayBufferStructureWithSharingMode() const { return arrayBufferStructure(sharingMode); }
918	921	JSObject* arrayBufferConstructor(ArrayBufferSharingMode sharingMode) const
919	922	{
…	…
979	982	return typedArrayStructureConcurrently(type) == structure;
980	983	}
	984	template<TypedArrayType type> Structure* typedArrayStructureWithTypedArrayType() const { return typedArrayStructure(type); }
981	985
982	986	JSObject* typedArrayConstructor(TypedArrayType type) const

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h

-                      r260732
+                      r273661
 ALWAYS_INLINE Structure* JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation(JSGlobalObject* globalObject, IndexingType indexingType, JSValue newTarget) const
+{
+    return !newTarget || newTarget == globalObject->arrayConstructor()
+        ? globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(globalObject->vm(), asObject(newTarget))->arrayStructureForIndexingTypeDuringAllocation(indexingType));
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    if (!newTarget || newTarget == globalObject->arrayConstructor())
+        return globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType);
+    auto* functionGlobalObject = getFunctionRealm(globalObject, asObject(newTarget));
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    RELEASE_AND_RETURN(scope, InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), functionGlobalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)));
+}

trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* mapStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->mapStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->mapStructure());
+    Structure* mapStructure = JSC_GET_DERIVED_STRUCTURE(vm, mapStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp

-                      r273203
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure(errorType)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure(errorType));
+    Structure* errorStructure = JSC_GET_DERIVED_STRUCTURE(vm, errorStructureWithErrorType<errorType>, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });
-    ASSERT(errorStructure);
     RELEASE_AND_RETURN(scope, JSValue::encode(ErrorInstance::create(globalObject, errorStructure, message, nullptr, TypeNothing, errorType, false)));
+}

trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->numberObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->numberObjectStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, numberObjectStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

-                      r272938
+                      r273661
     if (newTarget && newTarget != objectConstructor) {
         // a. Return ? OrdinaryCreateFromConstructor(NewTarget, "%ObjectPrototype%").
+        Structure* baseStructure = getFunctionRealm(vm, asObject(newTarget))->objectStructureForObjectConstructor();
+        JSGlobalObject* functionGlobalObject = getFunctionRealm(globalObject, asObject(newTarget));
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        Structure* baseStructure = functionGlobalObject->objectStructureForObjectConstructor();
         Structure* objectStructure = InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), baseStructure);
         RETURN_IF_EXCEPTION(scope, nullptr);

trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp

r267594	r273661
41	41	{
42	42	ProxyConstructor* constructor = new (NotNull, allocateCell<ProxyConstructor>(vm.heap)) ProxyConstructor(vm, structure);
43		constructor->finishCreation(vm, ~~"Proxy",~~ structure->globalObject());
	43	constructor->finishCreation(vm, structure->globalObject());
44	44	return constructor;
45	45	}
…	…
75	75	}
76	76
77		void ProxyConstructor::finishCreation(VM& vm, ~~const char* name,~~ JSGlobalObject* globalObject)
	77	void ProxyConstructor::finishCreation(VM& vm, JSGlobalObject* globalObject)
78	78	{
79		Base::finishCreation(vm, 2, ~~name, PropertyAdditionMode::With~~StructureTransition);
80		~~putDirect(vm, makeIdentifier(vm, "revocable"), JSFunction::create(vm, globalObject, 2, "revocable"_s, makeRevocableProxy)~~);
	79	Base::finishCreation(vm, 2, "Proxy", PropertyAdditionMode::WithoutStructureTransition);
	80	JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("revocable", makeRevocableProxy, static_cast<unsigned>(PropertyAttribute::DontEnum), 2);
81	81	}
82	82

trunk/Source/JavaScriptCore/runtime/ProxyConstructor.h

r253019	r273661
44	44	}
45	45
46		void finishCreation(VM&, ~~const char* name,~~ JSGlobalObject*);
	46	void finishCreation(VM&, JSGlobalObject*);
47	47
48	48	private:

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

-                      r267727
+                      r273661
 inline Structure* getRegExpStructure(JSGlobalObject* globalObject, JSValue newTarget)
+{
+    return !newTarget || newTarget == globalObject->regExpConstructor()
+        ? globalObject->regExpStructure()
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(globalObject->vm(), asObject(newTarget))->regExpStructure());
+    if (!newTarget)
+        return globalObject->regExpStructure();
+    VM& vm = globalObject->vm();
+    return JSC_GET_DERIVED_STRUCTURE(vm, regExpStructure, asObject(newTarget), globalObject->regExpConstructor());
+}

trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* setStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->setStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->setStructure());
+    Structure* setStructure = JSC_GET_DERIVED_STRUCTURE(vm, setStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->stringObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->stringObjectStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, stringObjectStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakMapStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakMapStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakMapStructure());
+    Structure* weakMapStructure = JSC_GET_DERIVED_STRUCTURE(vm, weakMapStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/WeakObjectRefConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakObjectRefStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakObjectRefStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakObjectRefStructure());
+    Structure* weakObjectRefStructure = JSC_GET_DERIVED_STRUCTURE(vm, weakObjectRefStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakSetStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakSetStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakSetStructure());
+    Structure* weakSetStructure = JSC_GET_DERIVED_STRUCTURE(vm, weakSetStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorConstructor.cpp

-                      r273203
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyCompileErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyCompileErrorStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyCompileErrorStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalConstructor.cpp

-                      r272194
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* webAssemblyGlobalStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyGlobalStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyGlobalStructure());
+    Structure* webAssemblyGlobalStructure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyGlobalStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(throwScope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* instanceStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyInstanceStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyInstanceStructure());
+    Structure* instanceStructure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyInstanceStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorConstructor.cpp

-                      r273203
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyLinkErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyLinkErrorStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyLinkErrorStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp

-                      r271774
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* webAssemblyMemoryStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyMemoryStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyMemoryStructure());
+    Structure* webAssemblyMemoryStructure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyMemoryStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(throwScope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp

-                      r267594
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyModuleStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyModuleStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyModuleStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, nullptr);

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorConstructor.cpp

-                      r273203
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyRuntimeErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyRuntimeErrorStructure());
+    Structure* structure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyRuntimeErrorStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp

-                      r272081
+                      r273661
     JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* webAssemblyTableStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyTableStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyTableStructure());
+    Structure* webAssemblyTableStructure = JSC_GET_DERIVED_STRUCTURE(vm, webAssemblyTableStructure, newTarget, callFrame->jsCallee());
     RETURN_IF_EXCEPTION(throwScope, { });

trunk/Source/WebCore/ChangeLog

-                      r273657
+                      r273661
+-03-01  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] Throw TypeError when getFunctionRealm hits revoked Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=222523
+        Reviewed by Alexey Shvayka.
+        * bindings/js/JSDOMWrapperCache.h:
+        (WebCore::setSubclassStructureIfNeeded):
+        * bindings/js/JSHTMLElementCustom.cpp:
+        (WebCore::constructJSHTMLElement):
 -02-25  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/bindings/js/JSDOMWrapperCache.h

-                      r268271
+                      r273661
     auto scope = DECLARE_THROW_SCOPE(vm);
+    auto* newTargetGlobalObject = JSC::jsCast<JSDOMGlobalObject*>(JSC::getFunctionRealm(vm, newTarget));
+    auto* functionGlobalObject = JSC::getFunctionRealm(lexicalGlobalObject, newTarget);
+    RETURN_IF_EXCEPTION(scope, void());
+    auto* newTargetGlobalObject = JSC::jsCast<JSDOMGlobalObject*>(functionGlobalObject);
     auto* baseStructure = getDOMStructure<WrapperClass>(vm, *newTargetGlobalObject);
     auto* subclassStructure = JSC::InternalFunction::createSubclassStructure(lexicalGlobalObject, newTarget, baseStructure);

trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp

-                      r260732
+                      r273661
     auto* newTarget = callFrame.newTarget().getObject();
+    auto* newTargetGlobalObject = jsCast<JSDOMGlobalObject*>(getFunctionRealm(vm, newTarget));
+    auto* functionGlobalObject = getFunctionRealm(lexicalGlobalObject, newTarget);
+    RETURN_IF_EXCEPTION(scope, { });
+    auto* newTargetGlobalObject = jsCast<JSDOMGlobalObject*>(functionGlobalObject);
     JSValue htmlElementConstructorValue = JSHTMLElement::getConstructor(vm, newTargetGlobalObject);
     if (newTarget == htmlElementConstructorValue)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 273661 in webkit

Legend:

Download in other formats: