| Summary: | RegExp.prototype getters should throw on cross-realm access | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alexey Shvayka <ashvayka> | ||||
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Trivial | CC: | ews-watchlist, keith_miller, littledan, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Attachments: |
|
||||||
|
Description
Alexey Shvayka
2020-06-11 08:00:25 PDT
Created attachment 401644 [details]
Patch
Comment on attachment 401644 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=401644&action=review > Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242 > + if (thisValue == globalObject->regExpPrototype()) Which realm is used by the spec? The realm from the object? Or the realm of the static code running? This is using the latter. Is that intentional? (In reply to Saam Barati from comment #2) > Comment on attachment 401644 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=401644&action=review > > > Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242 > > + if (thisValue == globalObject->regExpPrototype()) > > Which realm is used by the spec? The realm from the object? Or the realm of > the static code running? This is using the latter. Is that intentional? The spec uses realm of static code (of a getter). Otherwise, the check would never fail: if `object` is a %RegExp.prototype%, `object.realm.RegExp.prototype` is `object` itself. Committed r262908: <https://trac.webkit.org/changeset/262908> All reviewed patches have been landed. Closing bug and clearing flags on attachment 401644 [details]. |