Cherry-pick 265870.535@safari-7616-branch (049d074). https://bugs.webkit.org/show_bug.cgi?id=261287

Alexey Shvayka · aperezdc · commit 62bc9d115f69 · 2023-10-20T14:40:10.000+03:00
JSObject::anyObjectInChainMayInterceptIndexedAccesses and JSObject::didBecomePrototype need to account for JSGlobalProxy https://bugs.webkit.org/show_bug.cgi?id=261287 rdar://114860483 Reviewed by Yusuke Suzuki. Since JSObject::anyObjectInChainMayInterceptIndexedAccesses() walks up the [[Prototype]] chain, whenever an indexed property is defined on a JSGlobalObject, we should add MayHaveIndexedAccessors flag to JSGlobalProxy instead. Currently, mayInterceptIndexedAccesses() is never queried on JSGlobalObject instances. This change also fixes mayBePrototype() to be queried from JSGlobalProxy rather than JSGlobalObject, which is correct given setPrototypeDirect() used to call didBecomePrototype() only on the proxy. However, for extra robustness, this we propagate didBecomePrototype() to the global object as well. * JSTests/stress/regress-114860483.js: Added. * Source/JavaScriptCore/runtime/JSObjectInlines.h: (JSC::JSObject::didBecomePrototype): * Source/JavaScriptCore/runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): Canonical link: https://commits.webkit.org/265870.535@safari-7616-branch
diff --git a/JSTests/stress/regress-114860483.js b/JSTests/stress/regress-114860483.js
@@ -0,0 +1,40 @@
+function assertArgumentsContent() {
+    const str = [...arguments].join();
+    if (str !== `,1.1,1.1,1.1,1.1,1.1`)
+        throw new Error("Bad assertion!");
+}
+
+function createClonedArguments() {
+    return arguments.callee.arguments;
+}
+
+function main() {
+    gc();
+
+    const global_proxy = this;
+    Reflect.defineProperty(global_proxy, 0, {
+        get() {
+            for (let i = 100; i < 200; i++)
+                cloned_arguments[i] = 1.1;
+
+            for (let i = 0; i < 100; i++)
+                cloned_arguments[i] = 1.1;
+
+            gc();
+
+            // Creating invalid date objects.
+            for (let i = 0; i < 100; i++) {
+                new Date('a');
+            }
+        }
+    });
+
+    const cloned_arguments = createClonedArguments(null, new Date(), new Date(), new Date(), new Date(), new Date());
+    delete cloned_arguments[0];
+
+    Reflect.setPrototypeOf(cloned_arguments, global_proxy);
+
+    assertArgumentsContent.apply(null, cloned_arguments);
+}
+
+main();
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1162,6 +1162,11 @@ void JSObject::enterDictionaryIndexingMode(VM& vm)
 
 void JSObject::notifyPresenceOfIndexedAccessors(VM& vm)
 {
+    if (UNLIKELY(isGlobalObject())) {
+        jsCast<JSGlobalObject*>(this)->globalThis()->notifyPresenceOfIndexedAccessors(vm);
+        return;
+    }
+
     if (mayInterceptIndexedAccesses())
         return;
     
diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h
@@ -508,6 +508,9 @@ inline void JSObject::didBecomePrototype(VM& vm)
         DeferredStructureTransitionWatchpointFire deferred(vm, oldStructure);
         setStructure(vm, Structure::becomePrototypeTransition(vm, oldStructure, &deferred));
     }
+
+    if (UNLIKELY(type() == GlobalProxyType))
+        jsCast<JSGlobalProxy*>(this)->target()->didBecomePrototype(vm);
 }
 
 inline bool JSObject::canGetIndexQuicklyForTypedArray(unsigned i) const

Original file line number	Diff line number	Diff line change
`@@ -508,6 +508,9 @@ inline void JSObject::didBecomePrototype(VM& vm)`
`508`	`508`	`DeferredStructureTransitionWatchpointFire deferred(vm, oldStructure);`
`509`	`509`	`setStructure(vm, Structure::becomePrototypeTransition(vm, oldStructure, &deferred));`
`510`	`510`	`}`
	`511`	`+`
	`512`	`+ if (UNLIKELY(type() == GlobalProxyType))`
	`513`	`+ jsCast<JSGlobalProxy*>(this)->target()->didBecomePrototype(vm);`
`511`	`514`	`}`
`512`	`515`
`513`	`516`	`inline bool JSObject::canGetIndexQuicklyForTypedArray(unsigned i) const`