Bug 273978
| Summary: | [JSC] Private brand can be empty in computed property name | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Degazio <d_degazio> |
| Component: | JavaScriptCore | Assignee: | David Degazio <d_degazio> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
David Degazio
rdar://124072928
It's possible to access private members of a class during its own definition via computed property names, consider:
class Foo {
static #private;
[Foo.#private] = 42;
}
This code isn't particularly sensible - within an incomplete class definition, neither `this` nor the class itself are defined, so as far as I can tell there is no valid base for a private field access within any computed property name. But, in our implementation, the fact that the private brand is specifically empty/null at this point (we install it in the class lexical environment after the class definition is finished) means we can occasionally run into crashes when comparing it to other cells. Let's add a check for an empty private brand when we check it during a field access, so we can fail gracefully and throw an exception.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
David Degazio
Pull request: https://github.com/WebKit/WebKit/pull/28370
EWS
Committed 278642@main (dab4400141ad): <https://commits.webkit.org/278642@main>
Reviewed commits have been landed. Closing PR #28370 and removing active labels.