Changeset 212015 in webkit for trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

Timestamp:

Feb 9, 2017, 5:39:13 PM (8 years ago)

Author:

Brent Fulgham

Message:

Constructed object's global object should be the global object of the constructor.
​https://bugs.webkit.org/show_bug.cgi?id=167121
<rdar://problem/30054759>

Patch by Mark Lam <​[email protected]> on 2017-02-09
Reviewed by Filip Pizlo and Geoffrey Garen.

Source/JavaScriptCore:

The realm (i.e. globalObject) of any object should be the same as the constructor
that instantiated the object. Changed PrototypeMap::createEmptyStructure() to
be passed the correct globalObject to use instead of assuming it's the same one
as the prototype object.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• bytecode/InternalFunctionAllocationProfile.h:

(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):

• bytecode/ObjectAllocationProfile.h:

(JSC::ObjectAllocationProfile::initialize):

• runtime/FunctionRareData.cpp:

(JSC::FunctionRareData::initializeObjectAllocationProfile):

• runtime/FunctionRareData.h:

(JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):

• runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructure):

• runtime/IteratorOperations.cpp:

(JSC::createIteratorResultObjectStructure):

• runtime/JSBoundFunction.cpp:

(JSC::getBoundFunctionStructure):

• runtime/JSFunction.cpp:

(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/JSProxy.cpp:

(JSC::JSProxy::setTarget):

• runtime/ObjectConstructor.h:

(JSC::constructEmptyObject):

• runtime/PrototypeMap.cpp:

(JSC::PrototypeMap::createEmptyStructure):
(JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
(JSC::PrototypeMap::emptyObjectStructureForPrototype):
(JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):

• runtime/PrototypeMap.h:

LayoutTests:

• http/tests/security/xssAuditor/regress-167121-expected.txt: Added.
• http/tests/security/xssAuditor/regress-167121.html: Added.

File:

• trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten ([email protected])
  *  Copyright (C) 2001 Peter Kelly ([email protected])
- *  Copyright (C) 2004, 2007-2008, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004, 2007-2008, 2016-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -106 +106 @@
         // newTarget may be an InternalFunction if we were called from Reflect.construct.
         JSFunction* targetFunction = jsDynamicCast<JSFunction*>(vm, newTarget);
+        JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
 
         if (LIKELY(targetFunction)) {
@@ -116 +117 @@
             RETURN_IF_EXCEPTION(scope, nullptr);
             if (JSObject* prototype = jsDynamicCast<JSObject*>(vm, prototypeValue))
-                return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
+                return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, lexicalGlobalObject, prototype, baseClass);
         } else {
             JSValue prototypeValue = newTarget.get(exec, exec->propertyNames().prototype);
@@ -123 +124 @@
                 // This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
                 // Thus, we don't care about the cost of looking up the structure from our hash table every time.
-                return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseClass);
+                return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(lexicalGlobalObject, prototype, baseClass);
             }
         }