Changeset 292895 in webkit

Timestamp:

Apr 14, 2022 4:39:06 PM (3 months ago)

Author:

caitp@igalia.com

Message:

[JSC] ShadowRealm global object has a mutable prototype
​https://bugs.webkit.org/show_bug.cgi?id=239332

Reviewed by Yusuke Suzuki.

JSTests:

• stress/shadow-realm-globalThis-mutable-prototype.js: Added.

Source/JavaScriptCore:

This patch circumvents the ASSERT(toThis() == this) in JSObject::setPrototypeWithCycleCheck()
when this is a GlobalObject. Ordinarily, GlobalObjects have the IsImmutablePrototypeExoticObject
bit set and miss this pathway, however this is not the case for ShadowRealm Global Objects.

In addition, the JSC internal version is also modified to have a mutable prototype in the same way
as in WebCore.

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::deriveShadowRealmGlobalObject):
(JSC::JSGlobalObject::createStructureForShadowRealm):

• runtime/JSObject.cpp:

(JSC::JSObject::setPrototypeWithCycleCheck):

Source/WebCore:

Hack: The IDL code generator now special cases ShadowRealmGlobalObject to remove the
ImmutablePrototypeExoticObject bit from the inherited JSGlobalObject structure flags.

As a result, this enables the assignment of a ShadowRealm's globalThis.proto, or
overwriting the prototype with [Object / Reflect].setPrototypeOf().

Test: js/ShadowRealm-globalThis.html

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/test/JS/JSShadowRealmGlobalScope.h:

LayoutTests:

Add a new layout test to verify changes to verify that ShadowRealmGlobalObject has a properly
mutable prototype.

• js/ShadowRealm-globalThis-expected.txt: Added.
• js/ShadowRealm-globalThis.html: Added.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/shadow-realm-globalThis-mutable-prototype.js (added)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/ShadowRealm-globalThis-expected.txt (added)
• LayoutTests/js/ShadowRealm-globalThis.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2022-04-14  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] ShadowRealm global object has a mutable prototype
+        https://bugs.webkit.org/show_bug.cgi?id=239332
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/shadow-realm-globalThis-mutable-prototype.js: Added.
+
 2022-04-14  Alexey Shvayka  <ashvayka@apple.com>
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-04-14  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] ShadowRealm global object has a mutable prototype
+        https://bugs.webkit.org/show_bug.cgi?id=239332
+
+        Reviewed by Yusuke Suzuki.
+
+        Add a new layout test to verify changes to verify that ShadowRealmGlobalObject has a properly
+        mutable prototype.
+
+        * js/ShadowRealm-globalThis-expected.txt: Added.
+        * js/ShadowRealm-globalThis.html: Added.
+
 2022-04-14  Nikolaos Mouchtaris  <nmouchtaris@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-04-14  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] ShadowRealm global object has a mutable prototype
+        https://bugs.webkit.org/show_bug.cgi?id=239332
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch circumvents the `ASSERT(toThis() == this)` in JSObject::setPrototypeWithCycleCheck()
+        when `this` is a GlobalObject. Ordinarily, GlobalObjects have the IsImmutablePrototypeExoticObject
+        bit set and miss this pathway, however this is not the case for ShadowRealm Global Objects. 
+
+        In addition, the JSC internal version is also modified to have a mutable prototype in the same way
+        as in WebCore.
+
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::deriveShadowRealmGlobalObject):
+        (JSC::JSGlobalObject::createStructureForShadowRealm):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+
 2022-04-14  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -1100 +1100 @@
     {
         auto& vm = globalObject->vm();
-        return JSGlobalObject::createWithCustomMethodTable(vm, JSGlobalObject::createStructure(vm, jsNull()), globalObject->globalObjectMethodTable());
+        JSGlobalObject* result = JSGlobalObject::createWithCustomMethodTable(vm, JSGlobalObject::createStructureForShadowRealm(vm, jsNull()), globalObject->globalObjectMethodTable());
+        return result;
     }
 
@@ -1141 +1142 @@
     {
         Structure* result = Structure::create(vm, nullptr, prototype, TypeInfo(GlobalObjectType, StructureFlags), info());
+        result->setTransitionWatchpointIsLikelyToBeFired(true);
+        return result;
+    }
+    static Structure* createStructureForShadowRealm(VM& vm, JSValue prototype)
+    {
+        Structure* result = Structure::create(vm, nullptr, prototype, TypeInfo(GlobalObjectType, StructureFlags & ~IsImmutablePrototypeExoticObject), info());
         result->setTransitionWatchpointIsLikelyToBeFired(true);
         return result;

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1916 +1916 @@
     }
 
-    ASSERT(methodTable(vm)->toThis(this, globalObject, ECMAMode::sloppy()) == this);
+    // Default realm global objects should have mutable prototypes despite having
+    // a Proxy globalThis.
+    ASSERT(this->isGlobalObject() || methodTable(vm)->toThis(this, globalObject, ECMAMode::sloppy()) == this);
 
     if (this->getPrototypeDirect(vm) == prototype)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-04-14  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] ShadowRealm global object has a mutable prototype
+        https://bugs.webkit.org/show_bug.cgi?id=239332
+
+        Reviewed by Yusuke Suzuki.
+
+        Hack: The IDL code generator now special cases ShadowRealmGlobalObject to remove the 
+        ImmutablePrototypeExoticObject bit from the inherited JSGlobalObject structure flags.
+
+        As a result, this enables the assignment of a ShadowRealm's globalThis.__proto__, or
+        overwriting the prototype with [Object / Reflect].setPrototypeOf().
+
+        Test: js/ShadowRealm-globalThis.html
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        * bindings/scripts/test/JS/JSShadowRealmGlobalScope.h:
+
 2022-04-14  Nikolaos Mouchtaris  <nmouchtaris@apple.com>
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -3206 +3206 @@
     if (%structureFlags) {
         push(@headerContent, "public:\n");
-        push(@headerContent, "    static constexpr unsigned StructureFlags = Base::StructureFlags");
+        if ($interfaceName eq "ShadowRealmGlobalScope") {
+            # Hack to make ShadowRealmGlobalScope a default realm global object (not an ImmutablePrototypeExoticObject)
+            push(@headerContent, "    static constexpr unsigned StructureFlags = (Base::StructureFlags & ~JSC::IsImmutablePrototypeExoticObject)");
+        } else {
+            push(@headerContent, "    static constexpr unsigned StructureFlags = Base::StructureFlags");
+        }
         foreach my $structureFlag (sort (keys %structureFlags)) {
             push(@headerContent, " | " . $structureFlag);

trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.h

@@ -58 +58 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::HasStaticPropertyTable;
+    static constexpr unsigned StructureFlags = (Base::StructureFlags & ~JSC::IsImmutablePrototypeExoticObject) | JSC::HasStaticPropertyTable;
 protected:
     JSShadowRealmGlobalScope(JSC::VM&, JSC::Structure*, Ref<ShadowRealmGlobalScope>&&);