Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 06:24:44 +0000 (06:24 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 06:24:44 +0000 (06:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=157080

Reviewed by Saam Barati.

Source/JavaScriptCore:

In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
In this patch, we add a new parameter, "slotBase". This represents the base value offering
this custom getter. And use it in ProxyObject's performGet custom accessor getter.

* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::staticFunctionGetter):
(JSC::JSCallbackObject<Parent>::callbackGetter):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
In PolymorphicAccess case, the thisValue and the slotBase are always cells.
This is because IC is enabled in the case that the base value is a cell.
And slotBase is always on the prototype chain from this base value.

* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jsc.cpp:
(WTF::CustomGetter::customGetter):
(WTF::RuntimeArray::lengthGetter):
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter):
* runtime/JSBoundSlotBaseFunction.cpp:
(JSC::boundSlotBaseFunctionCall):
* runtime/JSFunction.cpp:
(JSC::JSFunction::argumentsGetter):
(JSC::JSFunction::callerGetter):
* runtime/JSFunction.h:
* runtime/JSModuleNamespaceObject.cpp:
(JSC::callbackGetter):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::customGetter):
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
* runtime/RegExpConstructor.cpp:
(JSC::regExpConstructorDollar):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
(JSC::regExpConstructorDollar1): Deleted.
(JSC::regExpConstructorDollar2): Deleted.
(JSC::regExpConstructorDollar3): Deleted.
(JSC::regExpConstructorDollar4): Deleted.
(JSC::regExpConstructorDollar5): Deleted.
(JSC::regExpConstructorDollar6): Deleted.
(JSC::regExpConstructorDollar7): Deleted.
(JSC::regExpConstructorDollar8): Deleted.
(JSC::regExpConstructorDollar9): Deleted.
* tests/stress/proxy-get-with-primitive-receiver.js: Added.
(shouldBe):

Source/WebCore:

* bindings/js/JSDOMBinding.h:
(WebCore::nonCachingStaticFunctionGetter):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowWebKit):
* bindings/js/JSPluginElementFunctions.cpp:
(WebCore::pluginElementPropertyGetter):
* bindings/js/JSPluginElementFunctions.h:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
(GenerateImplementation):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::lengthGetter):
* bridge/runtime_array.h:
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::lengthGetter):
* bridge/runtime_method.h:
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::fallbackObjectGetter):
(JSC::Bindings::RuntimeObject::fieldGetter):
(JSC::Bindings::RuntimeObject::methodGetter):
* bridge/runtime_object.h:

Source/WebKit2:

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::propertyGetter):
(WebKit::JSNPObject::methodGetter):
* WebProcess/Plugins/Netscape/JSNPObject.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201322 268f45cc-cd09-0410-ab3c-d52691b4dbfc

31 files changed:
Source/JavaScriptCore/API/JSCallbackObject.h
Source/JavaScriptCore/API/JSCallbackObjectFunctions.h
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
Source/JavaScriptCore/jit/CCallHelpers.h
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/CustomGetterSetter.cpp
Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp
Source/JavaScriptCore/runtime/JSFunction.cpp
Source/JavaScriptCore/runtime/JSFunction.h
Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
Source/JavaScriptCore/runtime/PropertySlot.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/JavaScriptCore/runtime/ProxyObject.cpp
Source/JavaScriptCore/runtime/RegExpConstructor.cpp
Source/JavaScriptCore/tests/stress/proxy-get-with-primitive-receiver.js [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMBinding.h
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Source/WebCore/bindings/js/JSPluginElementFunctions.cpp
Source/WebCore/bindings/js/JSPluginElementFunctions.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bridge/runtime_array.cpp
Source/WebCore/bridge/runtime_array.h
Source/WebCore/bridge/runtime_method.cpp
Source/WebCore/bridge/runtime_method.h
Source/WebCore/bridge/runtime_object.cpp
Source/WebCore/bridge/runtime_object.h
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.h

index e9563f5..5e033f8 100644 (file)
@@ -211,8 +211,8 @@ private:
     static EncodedJSValue JSC_HOST_CALL construct(ExecState*);
    
     JSValue getStaticValue(ExecState*, PropertyName);
-    static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
+    static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+    static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
     std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
 };
index a553723..b2bcf45 100644 (file)
@@ -599,7 +599,7 @@ JSValue JSCallbackObject<Parent>::getStaticValue(ExecState* exec, PropertyName p
 }
 
 template <class Parent>
-EncodedJSValue JSCallbackObject<Parent>::staticFunctionGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue JSCallbackObject<Parent>::staticFunctionGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     JSCallbackObject* thisObj = asCallbackObject(thisValue);
     
@@ -627,7 +627,7 @@ EncodedJSValue JSCallbackObject<Parent>::staticFunctionGetter(ExecState* exec, E
 }
 
 template <class Parent>
-EncodedJSValue JSCallbackObject<Parent>::callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue JSCallbackObject<Parent>::callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     JSCallbackObject* thisObj = asCallbackObject(thisValue);
     
index 207c733..0b53b45 100644 (file)
@@ -1,3 +1,64 @@
+2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
+        https://bugs.webkit.org/show_bug.cgi?id=157080
+
+        Reviewed by Saam Barati.
+
+        In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
+        In this patch, we add a new parameter, "slotBase". This represents the base value offering
+        this custom getter. And use it in ProxyObject's performGet custom accessor getter.
+
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
+        (JSC::JSCallbackObject<Parent>::callbackGetter):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generateImpl):
+        In PolymorphicAccess case, the thisValue and the slotBase are always cells.
+        This is because IC is enabled in the case that the base value is a cell.
+        And slotBase is always on the prototype chain from this base value.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState):
+        * jsc.cpp:
+        (WTF::CustomGetter::customGetter):
+        (WTF::RuntimeArray::lengthGetter):
+        * runtime/CustomGetterSetter.cpp:
+        (JSC::callCustomSetter):
+        * runtime/JSBoundSlotBaseFunction.cpp:
+        (JSC::boundSlotBaseFunctionCall):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::argumentsGetter):
+        (JSC::JSFunction::callerGetter):
+        * runtime/JSFunction.h:
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::callbackGetter):
+        * runtime/PropertySlot.cpp:
+        (JSC::PropertySlot::customGetter):
+        * runtime/PropertySlot.h:
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::regExpConstructorDollar):
+        (JSC::regExpConstructorInput):
+        (JSC::regExpConstructorMultiline):
+        (JSC::regExpConstructorLastMatch):
+        (JSC::regExpConstructorLastParen):
+        (JSC::regExpConstructorLeftContext):
+        (JSC::regExpConstructorRightContext):
+        (JSC::regExpConstructorDollar1): Deleted.
+        (JSC::regExpConstructorDollar2): Deleted.
+        (JSC::regExpConstructorDollar3): Deleted.
+        (JSC::regExpConstructorDollar4): Deleted.
+        (JSC::regExpConstructorDollar5): Deleted.
+        (JSC::regExpConstructorDollar6): Deleted.
+        (JSC::regExpConstructorDollar7): Deleted.
+        (JSC::regExpConstructorDollar8): Deleted.
+        (JSC::regExpConstructorDollar9): Deleted.
+        * tests/stress/proxy-get-with-primitive-receiver.js: Added.
+        (shouldBe):
+
 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
 
         REGRESSION (196374): deleting a global property is expensive
index 202d5d5..4aaed8e 100644 (file)
@@ -1084,15 +1084,18 @@ void AccessCase::generateImpl(AccessGenerationState& state)
             // to make some space here.
             jit.makeSpaceOnStackForCCall();
 
-            // getter: EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName);
+            // getter: EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject* slotBase);
             // setter: void (*PutValueFunc)(ExecState*, EncodedJSValue thisObject, EncodedJSValue value);
             // Custom values are passed the slotBase (the property holder), custom accessors are passed the thisVaule (reciever).
+            // FIXME: Remove this differences in custom values and custom accessors.
+            // https://bugs.webkit.org/show_bug.cgi?id=158014
             GPRReg baseForCustomValue = m_type == CustomValueGetter || m_type == CustomValueSetter ? baseForAccessGPR : baseForGetGPR;
 #if USE(JSVALUE64)
             if (m_type == CustomValueGetter || m_type == CustomAccessorGetter) {
                 jit.setupArgumentsWithExecState(
                     baseForCustomValue,
-                    CCallHelpers::TrustedImmPtr(ident.impl()));
+                    CCallHelpers::TrustedImmPtr(ident.impl()),
+                    baseForAccessGPR);
             } else
                 jit.setupArgumentsWithExecState(baseForCustomValue, valueRegs.gpr());
 #else
@@ -1100,7 +1103,8 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                 jit.setupArgumentsWithExecState(
                     EABI_32BIT_DUMMY_ARG baseForCustomValue,
                     CCallHelpers::TrustedImm32(JSValue::CellTag),
-                    CCallHelpers::TrustedImmPtr(ident.impl()));
+                    CCallHelpers::TrustedImmPtr(ident.impl()),
+                    baseForAccessGPR);
             } else {
                 jit.setupArgumentsWithExecState(
                     EABI_32BIT_DUMMY_ARG baseForCustomValue,
index 37d021a..0ef3139 100644 (file)
@@ -716,6 +716,16 @@ public:
         addCallArgument(arg4);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImm32 arg2, TrustedImmPtr arg3, GPRReg arg4)
+    {
+        resetCallArguments();
+        addCallArgument(GPRInfo::callFrameRegister);
+        addCallArgument(arg1);
+        addCallArgument(arg2);
+        addCallArgument(arg3);
+        addCallArgument(arg4);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImmPtr arg2, GPRReg arg3, GPRReg arg4)
     {
         resetCallArguments();
@@ -1684,6 +1694,12 @@ public:
         setupArgumentsWithExecState(arg1, arg2, arg3);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImm32 arg2, TrustedImmPtr arg3, GPRReg arg4)
+    {
+        poke(arg4, POKE_ARGUMENT_OFFSET);
+        setupArgumentsWithExecState(arg1, arg2, arg3);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, GPRReg arg2, TrustedImm32 arg3, TrustedImm32 arg4, TrustedImm32 arg5)
     {
         poke(arg5, POKE_ARGUMENT_OFFSET + 1);
@@ -2039,6 +2055,13 @@ public:
         poke(arg4, POKE_ARGUMENT_OFFSET);
         setupArgumentsWithExecState(arg1, arg2, arg3);
     }
+
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, TrustedImm32 arg3, TrustedImmPtr arg4, GPRReg arg5)
+    {
+        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
+        poke(arg4, POKE_ARGUMENT_OFFSET);
+        setupArgumentsWithExecState(arg1, arg2, arg3);
+    }
 #endif // NUMBER_OF_ARGUMENT_REGISTERS == 4
 
 #if NUMBER_OF_ARGUMENT_REGISTERS >= 5
index 433d1a5..4097384 100644 (file)
@@ -358,7 +358,7 @@ public:
     }
 
 private:
-    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
     {
         CustomGetter* thisObject = jsDynamicCast<CustomGetter*>(JSValue::decode(thisValue));
         if (!thisObject)
@@ -463,7 +463,7 @@ private:
     {
     }
 
-    static EncodedJSValue lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    static EncodedJSValue lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
     {
         RuntimeArray* thisObject = jsDynamicCast<RuntimeArray*>(JSValue::decode(thisValue));
         if (!thisObject)
index 8736d19..dea45c4 100644 (file)
@@ -53,6 +53,8 @@ bool callCustomSetter(ExecState* exec, JSValue customGetterSetter, bool isAccess
     // Return false since there is no setter.
     if (!setter)
         return false;
+    // FIXME: Remove this differences in custom values and custom accessors.
+    // https://bugs.webkit.org/show_bug.cgi?id=158014
     if (!isAccessor)
         thisValue = base;
     return callCustomSetter(exec, setter, isAccessor, thisValue, value);
index 1f33562..2d67e43 100644 (file)
@@ -51,7 +51,7 @@ EncodedJSValue JSC_HOST_CALL boundSlotBaseFunctionCall(ExecState* exec)
         return JSValue::encode(jsUndefined());
 
     const String& name = boundSlotBaseFunction->name();
-    return getter(exec, JSValue::encode(exec->thisValue()), PropertyName(Identifier::fromString(exec, name)));
+    return getter(exec, JSValue::encode(exec->thisValue()), PropertyName(Identifier::fromString(exec, name)), baseObject);
 }
 
 JSBoundSlotBaseFunction::JSBoundSlotBaseFunction(VM& vm, JSGlobalObject* globalObject, Structure* structure, const Type type)
index 638e705..ae30dcc 100644 (file)
@@ -264,7 +264,7 @@ static JSValue retrieveArguments(ExecState* exec, JSFunction* functionObj)
     return functor.result();
 }
 
-EncodedJSValue JSFunction::argumentsGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue JSFunction::argumentsGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     JSFunction* thisObj = jsCast<JSFunction*>(JSValue::decode(thisValue));
     ASSERT(!thisObj->isHostFunction());
@@ -326,7 +326,7 @@ static GetterSetter* getThrowTypeErrorGetterSetter(JSFunction* function)
         : function->globalObject()->throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter();
 }
 
-EncodedJSValue JSFunction::callerGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue JSFunction::callerGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     JSFunction* thisObj = jsCast<JSFunction*>(JSValue::decode(thisValue));
     ASSERT(!thisObj->isHostFunction());
index 30070d0..307dec1 100644 (file)
@@ -198,10 +198,8 @@ private:
 
     friend class LLIntOffsetsExtractor;
 
-    static EncodedJSValue argumentsGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue callerGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
+    static EncodedJSValue argumentsGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+    static EncodedJSValue callerGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
     WriteBarrier<ExecutableBase> m_executable;
     WriteBarrier<FunctionRareData> m_rareData;
index 40dda73..9e99432 100644 (file)
@@ -97,7 +97,7 @@ void JSModuleNamespaceObject::visitChildren(JSCell* cell, SlotVisitor& visitor)
     visitor.append(&thisObject->m_moduleRecord);
 }
 
-static EncodedJSValue callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+static EncodedJSValue callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(JSValue::decode(thisValue));
     JSModuleRecord* moduleRecord = thisObject->moduleRecord();
index 0410139..c688244 100644 (file)
@@ -35,8 +35,10 @@ JSValue PropertySlot::functionGetter(ExecState* exec) const
 
 JSValue PropertySlot::customGetter(ExecState* exec, PropertyName propertyName) const
 {
+    // FIXME: Remove this differences in custom values and custom accessors.
+    // https://bugs.webkit.org/show_bug.cgi?id=158014
     JSValue thisValue = m_attributes & CustomAccessor ? m_thisValue : JSValue(slotBase());
-    return JSValue::decode(m_data.custom.getValue(exec, JSValue::encode(thisValue), propertyName));
+    return JSValue::decode(m_data.custom.getValue(exec, JSValue::encode(thisValue), propertyName, slotBase()));
 }
 
 JSValue PropertySlot::getPureResult() const
index 15403cd..ea5cc9d 100644 (file)
@@ -94,7 +94,12 @@ public:
     {
     }
 
-    typedef EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName);
+    // There are two types of custom properties: custom values and custom accessors.
+    // For the second argument, custom values are passed the slotBase (the property holder), custom accessors are passed the thisVaule (reciever).
+    // And when getting the property descriptor from these properties, custom values return the data descriptor while custom accessors return the accessor descriptor.
+    // FIXME: Remove this slotBase / receiver behavior difference in custom values and custom accessors.
+    // https://bugs.webkit.org/show_bug.cgi?id=158014
+    typedef EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject* slotBase);
 
     JSValue getValue(ExecState*, PropertyName) const;
     JSValue getValue(ExecState*, unsigned propertyName) const;
index 539185f..998333c 100644 (file)
@@ -92,7 +92,7 @@ void ProxyObject::finishCreation(VM& vm, ExecState* exec, JSValue target, JSValu
 
 static const char* s_proxyAlreadyRevokedErrorMessage = "Proxy has already been revoked. No more operations are allowed to be performed on it";
 
-static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject* slotBase)
 {
     VM& vm = exec->vm();
     if (!vm.isSafeToRecurse()) {
@@ -100,20 +100,7 @@ static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue,
         return JSValue::encode(JSValue());
     }
 
-    JSObject* thisObject = jsCast<JSObject*>(JSValue::decode(thisValue)); // This might be a value where somewhere in __proto__ chain lives a ProxyObject.
-    JSObject* proxyObjectAsObject = thisObject;
-    // FIXME: make it so that custom getters take both the |this| value and the slotBase (property holder).
-    // https://bugs.webkit.org/show_bug.cgi?id=154320
-    while (true) {
-        if (LIKELY(proxyObjectAsObject->type() == ProxyObjectType))
-            break;
-
-        JSValue prototype = proxyObjectAsObject->getPrototypeDirect();
-        RELEASE_ASSERT(prototype.isObject());
-        proxyObjectAsObject = asObject(prototype);
-    }
-
-    ProxyObject* proxyObject = jsCast<ProxyObject*>(proxyObjectAsObject);
+    ProxyObject* proxyObject = jsCast<ProxyObject*>(slotBase);
     JSObject* target = proxyObject->target();
 
     if (propertyName == vm.propertyNames->underscoreProto)
@@ -143,7 +130,7 @@ static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue,
     MarkedArgumentBuffer arguments;
     arguments.append(target);
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
-    arguments.append(thisObject);
+    arguments.append(JSValue::decode(thisValue));
     JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
index 1956ec9..75a550d 100644 (file)
 
 namespace JSC {
 
-static EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorLastMatch(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorLastParen(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorLeftContext(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorRightContext(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar1(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar2(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar3(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar4(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar5(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar6(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar7(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar8(ExecState*, EncodedJSValue, PropertyName);
-static EncodedJSValue regExpConstructorDollar9(ExecState*, EncodedJSValue, PropertyName);
+static EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+static EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+static EncodedJSValue regExpConstructorLastMatch(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+static EncodedJSValue regExpConstructorLastParen(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+static EncodedJSValue regExpConstructorLeftContext(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+static EncodedJSValue regExpConstructorRightContext(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+template<int N>
+static EncodedJSValue regExpConstructorDollar(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
 static bool setRegExpConstructorInput(ExecState*, EncodedJSValue, EncodedJSValue);
 static bool setRegExpConstructorMultiline(ExecState*, EncodedJSValue, EncodedJSValue);
@@ -72,15 +65,15 @@ const ClassInfo RegExpConstructor::s_info = { "Function", &InternalFunction::s_i
     $`              regExpConstructorLeftContext    DontDelete|ReadOnly|DontEnum
     rightContext    regExpConstructorRightContext   DontDelete|ReadOnly
     $'              regExpConstructorRightContext   DontDelete|ReadOnly|DontEnum
-    $1              regExpConstructorDollar1        DontDelete|ReadOnly
-    $2              regExpConstructorDollar2        DontDelete|ReadOnly
-    $3              regExpConstructorDollar3        DontDelete|ReadOnly
-    $4              regExpConstructorDollar4        DontDelete|ReadOnly
-    $5              regExpConstructorDollar5        DontDelete|ReadOnly
-    $6              regExpConstructorDollar6        DontDelete|ReadOnly
-    $7              regExpConstructorDollar7        DontDelete|ReadOnly
-    $8              regExpConstructorDollar8        DontDelete|ReadOnly
-    $9              regExpConstructorDollar9        DontDelete|ReadOnly
+    $1              regExpConstructorDollar<1>      DontDelete|ReadOnly
+    $2              regExpConstructorDollar<2>      DontDelete|ReadOnly
+    $3              regExpConstructorDollar<3>      DontDelete|ReadOnly
+    $4              regExpConstructorDollar<4>      DontDelete|ReadOnly
+    $5              regExpConstructorDollar<5>      DontDelete|ReadOnly
+    $6              regExpConstructorDollar<6>      DontDelete|ReadOnly
+    $7              regExpConstructorDollar<7>      DontDelete|ReadOnly
+    $8              regExpConstructorDollar<8>      DontDelete|ReadOnly
+    $9              regExpConstructorDollar<9>      DontDelete|ReadOnly
 @end
 */
 
@@ -157,78 +150,39 @@ bool RegExpConstructor::getOwnPropertySlot(JSObject* object, ExecState* exec, Pr
 {
     return getStaticValueSlot<RegExpConstructor, InternalFunction>(exec, regExpConstructorTable, jsCast<RegExpConstructor*>(object), propertyName, slot);
 }
-    
-EncodedJSValue regExpConstructorDollar1(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 1));
-}
-
-EncodedJSValue regExpConstructorDollar2(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 2));
-}
-
-EncodedJSValue regExpConstructorDollar3(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 3));
-}
-
-EncodedJSValue regExpConstructorDollar4(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 4));
-}
-
-EncodedJSValue regExpConstructorDollar5(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 5));
-}
-
-EncodedJSValue regExpConstructorDollar6(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 6));
-}
-
-EncodedJSValue regExpConstructorDollar7(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 7));
-}
-
-EncodedJSValue regExpConstructorDollar8(ExecState* exec, EncodedJSValue thisValue, PropertyName)
-{
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 8));
-}
 
-EncodedJSValue regExpConstructorDollar9(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+template<int N>
+EncodedJSValue regExpConstructorDollar(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
-    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 9));
+    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, N));
 }
 
-EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->input());
 }
 
-EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(jsBoolean(asRegExpConstructor(JSValue::decode(thisValue))->multiline()));
 }
 
-EncodedJSValue regExpConstructorLastMatch(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorLastMatch(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 0));
 }
 
-EncodedJSValue regExpConstructorLastParen(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorLastParen(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getLastParen(exec));
 }
 
-EncodedJSValue regExpConstructorLeftContext(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorLeftContext(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getLeftContext(exec));
 }
 
-EncodedJSValue regExpConstructorRightContext(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue regExpConstructorRightContext(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getRightContext(exec));
 }
diff --git a/Source/JavaScriptCore/tests/stress/proxy-get-with-primitive-receiver.js b/Source/JavaScriptCore/tests/stress/proxy-get-with-primitive-receiver.js
new file mode 100644 (file)
index 0000000..2b3d3bd
--- /dev/null
@@ -0,0 +1,22 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+
+shouldBe(Reflect.get(new Proxy({}, {}), 0, 1), undefined);
+shouldBe(Reflect.get(new Proxy({}, {}), 'hello', 1), undefined);
+
+{
+    let target = {};
+    let handlers = {
+        get: function(theTarget, propName, receiver) {
+            // Receiver can be a primitive value.
+            shouldBe(receiver, 1);
+            return 42;
+        }
+    };
+    let proxy = new Proxy(target, handlers);
+    shouldBe(Reflect.get(proxy, 0, 1), 42);
+    shouldBe(Reflect.get(proxy, 'hello', 1), 42);
+}
index cce1205..81d4572 100644 (file)
@@ -1,3 +1,32 @@
+2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
+        https://bugs.webkit.org/show_bug.cgi?id=157080
+
+        Reviewed by Saam Barati.
+
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::nonCachingStaticFunctionGetter):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::jsDOMWindowWebKit):
+        * bindings/js/JSPluginElementFunctions.cpp:
+        (WebCore::pluginElementPropertyGetter):
+        * bindings/js/JSPluginElementFunctions.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        (GenerateImplementation):
+        * bridge/runtime_array.cpp:
+        (JSC::RuntimeArray::lengthGetter):
+        * bridge/runtime_array.h:
+        * bridge/runtime_method.cpp:
+        (JSC::RuntimeMethod::lengthGetter):
+        * bridge/runtime_method.h:
+        * bridge/runtime_object.cpp:
+        (JSC::Bindings::RuntimeObject::fallbackObjectGetter):
+        (JSC::Bindings::RuntimeObject::fieldGetter):
+        (JSC::Bindings::RuntimeObject::methodGetter):
+        * bridge/runtime_object.h:
+
 2016-05-23  Alex Christensen  <achristensen@webkit.org>
 
         Modernize CSS code
index 90326f1..f9ca3bf 100644 (file)
@@ -305,7 +305,7 @@ String propertyNameToString(JSC::PropertyName);
 AtomicString propertyNameToAtomicString(JSC::PropertyName);
 
 template<typename DOMClass> const JSC::HashTableValue* getStaticValueSlotEntryWithoutCaching(JSC::ExecState*, JSC::PropertyName);
-template<JSC::NativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
+template<JSC::NativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
 
 // Inline functions and template definitions.
 
@@ -784,7 +784,7 @@ template<> inline const JSC::HashTableValue* getStaticValueSlotEntryWithoutCachi
     return nullptr;
 }
 
-template<JSC::NativeFunction nativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState* exec, JSC::EncodedJSValue, JSC::PropertyName propertyName)
+template<JSC::NativeFunction nativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState* exec, JSC::EncodedJSValue, JSC::PropertyName propertyName, JSC::JSObject*)
 {
     return JSC::JSValue::encode(JSC::JSFunction::create(exec->vm(), exec->lexicalGlobalObject(), length, propertyName.publicName(), nativeFunction));
 }
index 6d4be3e..ac61fbb 100644 (file)
@@ -62,7 +62,7 @@ void JSDOMWindow::visitAdditionalChildren(SlotVisitor& visitor)
 }
 
 #if ENABLE(USER_MESSAGE_HANDLERS)
-static EncodedJSValue jsDOMWindowWebKit(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+static EncodedJSValue jsDOMWindowWebKit(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     JSDOMWindow* castedThis = toJSDOMWindow(JSValue::decode(thisValue));
     if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, castedThis->wrapped()))
index 2865372..30edaf7 100644 (file)
@@ -94,7 +94,7 @@ JSObject* pluginScriptObject(ExecState* exec, JSHTMLElement* jsHTMLElement)
     return instance->createRuntimeObject(exec);
 }
     
-EncodedJSValue pluginElementPropertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue pluginElementPropertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
 
     JSHTMLElement* thisObject = jsDynamicCast<JSHTMLElement*>(JSValue::decode(thisValue));
index 7a3f832..c64edbf 100644 (file)
@@ -38,8 +38,7 @@ namespace WebCore {
     JSC::Bindings::Instance* pluginInstance(HTMLElement&);
     WEBCORE_EXPORT JSC::JSObject* pluginScriptObject(JSC::ExecState*, JSHTMLElement*);
 
-    JSC::EncodedJSValue pluginElementPropertyGetter(JSC::ExecState*,
-    JSC::EncodedJSValue, JSC::PropertyName);
+    JSC::EncodedJSValue pluginElementPropertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
     bool pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, JSHTMLElement*);
     bool pluginElementCustomPut(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSHTMLElement*, JSC::PutPropertySlot&, bool& putResult);
     JSC::CallType pluginElementGetCallData(JSHTMLElement*, JSC::CallData&);
index 17c305a..2336f12 100644 (file)
@@ -1507,7 +1507,7 @@ sub GenerateHeader
             my $conditionalString = $codeGenerator->GenerateConditionalString($attribute->signature);
             push(@headerContent, "#if ${conditionalString}\n") if $conditionalString;
             my $getter = GetAttributeGetterName($interface, $className, $attribute);
-            push(@headerContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
+            push(@headerContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
             if (!IsReadonly($attribute)) {
                 my $setter = GetAttributeSetterName($interface, $className, $attribute);
                 push(@headerContent, "bool ${setter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue);\n");
@@ -2068,7 +2068,7 @@ sub GenerateImplementation
             my $conditionalString = $codeGenerator->GenerateConditionalString($attribute->signature);
             push(@implContent, "#if ${conditionalString}\n") if $conditionalString;
             my $getter = GetAttributeGetterName($interface, $className, $attribute);
-            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
+            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
             if (!IsReadonly($attribute)) {
                 my $setter = GetAttributeSetterName($interface, $className, $attribute);
                 push(@implContent, "bool ${setter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue);\n");
@@ -2078,7 +2078,7 @@ sub GenerateImplementation
         
         if (NeedsConstructorProperty($interface)) {
             my $getter = "js" . $interfaceName . "Constructor";
-            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
+            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
         }
 
         my $constructorFunctionName = "setJS" . $interfaceName . "Constructor";
@@ -2538,11 +2538,12 @@ sub GenerateImplementation
             my $attributeConditionalString = $codeGenerator->GenerateConditionalString($attribute->signature);
             push(@implContent, "#if ${attributeConditionalString}\n") if $attributeConditionalString;
 
-            push(@implContent, "EncodedJSValue ${getFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
+            push(@implContent, "EncodedJSValue ${getFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName, JSObject* slotBase)\n");
             push(@implContent, "{\n");
 
             push(@implContent, "    UNUSED_PARAM(state);\n");
             push(@implContent, "    UNUSED_PARAM(thisValue);\n");
+            push(@implContent, "    UNUSED_PARAM(slotBase);\n");
 
             if (!$attribute->isStatic || $attribute->signature->type =~ /Constructor$/) {
                 push(@implContent, "    JSValue decodedThisValue = JSValue::decode(thisValue);\n");
@@ -2741,7 +2742,7 @@ sub GenerateImplementation
         if (NeedsConstructorProperty($interface)) {
             my $constructorFunctionName = "js" . $interfaceName . "Constructor";
 
-            push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
+            push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName, JSObject*)\n");
             push(@implContent, "{\n");
             push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
             push(@implContent, "    if (UNLIKELY(!domObject))\n");
index c5b3c4f..75611e4 100644 (file)
@@ -60,7 +60,7 @@ void RuntimeArray::destroy(JSCell* cell)
     static_cast<RuntimeArray*>(cell)->RuntimeArray::~RuntimeArray();
 }
 
-EncodedJSValue RuntimeArray::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue RuntimeArray::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     RuntimeArray* thisObject = jsDynamicCast<RuntimeArray*>(JSValue::decode(thisValue));
     if (!thisObject)
index 018c132..da51605 100644 (file)
@@ -83,7 +83,7 @@ protected:
 
 private:
     RuntimeArray(ExecState*, Structure*);
-    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
+    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
     BindingsArray* m_array;
 };
index ae2b2b9..a37c88d 100644 (file)
@@ -54,7 +54,7 @@ void RuntimeMethod::finishCreation(VM& vm, const String& ident)
     ASSERT(inherits(info()));
 }
 
-EncodedJSValue RuntimeMethod::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+EncodedJSValue RuntimeMethod::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
 {
     RuntimeMethod* thisObject = jsDynamicCast<RuntimeMethod*>(JSValue::decode(thisValue));
     if (!thisObject)
index d86d594..234223e 100644 (file)
@@ -66,7 +66,7 @@ protected:
     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
 
 private:
-    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
+    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
     Bindings::Method* m_method;
 };
index a573e05..46aa49c 100644 (file)
@@ -62,7 +62,7 @@ void RuntimeObject::invalidate()
     m_instance = nullptr;
 }
 
-EncodedJSValue RuntimeObject::fallbackObjectGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue RuntimeObject::fallbackObjectGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
     RefPtr<Instance> instance = thisObj->m_instance;
@@ -80,7 +80,7 @@ EncodedJSValue RuntimeObject::fallbackObjectGetter(ExecState* exec, EncodedJSVal
     return JSValue::encode(result);
 }
 
-EncodedJSValue RuntimeObject::fieldGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue RuntimeObject::fieldGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {    
     RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
     RefPtr<Instance> instance = thisObj->m_instance;
@@ -99,7 +99,7 @@ EncodedJSValue RuntimeObject::fieldGetter(ExecState* exec, EncodedJSValue thisVa
     return JSValue::encode(result);
 }
 
-EncodedJSValue RuntimeObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue RuntimeObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
     RefPtr<Instance> instance = thisObj->m_instance;
index 81d4ebd..cca746e 100644 (file)
@@ -78,9 +78,9 @@ protected:
     void finishCreation(VM&);
 
 private:
-    static EncodedJSValue fallbackObjectGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue fieldGetter(ExecState*, EncodedJSValue, PropertyName);
-    static EncodedJSValue methodGetter(ExecState*, EncodedJSValue, PropertyName);
+    static EncodedJSValue fallbackObjectGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+    static EncodedJSValue fieldGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
+    static EncodedJSValue methodGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
 
     RefPtr<Instance> m_instance;
 };
index 29098b6..118288b 100644 (file)
@@ -1,3 +1,15 @@
+2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
+        https://bugs.webkit.org/show_bug.cgi?id=157080
+
+        Reviewed by Saam Barati.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+        (WebKit::JSNPObject::propertyGetter):
+        (WebKit::JSNPObject::methodGetter):
+        * WebProcess/Plugins/Netscape/JSNPObject.h:
+
 2016-05-23  Chris Dumez  <cdumez@apple.com>
 
         Generate bindings code for EventTarget.addEventListener() / removeEventListener()
index d561ae1..b5a4604 100644 (file)
@@ -435,7 +435,7 @@ void JSNPObject::getOwnPropertyNames(JSObject* object, ExecState* exec, Property
     npnMemFree(identifiers);
 }
 
-EncodedJSValue JSNPObject::propertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue JSNPObject::propertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     JSNPObject* thisObj = jsCast<JSNPObject*>(JSValue::decode(thisValue));
     ASSERT_GC_OBJECT_INHERITS(thisObj, info());
@@ -475,7 +475,7 @@ EncodedJSValue JSNPObject::propertyGetter(ExecState* exec, EncodedJSValue thisVa
     return JSValue::encode(propertyValue);
 }
 
-EncodedJSValue JSNPObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
+EncodedJSValue JSNPObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
 {
     JSNPObject* thisObj = jsCast<JSNPObject*>(JSValue::decode(thisValue));
     ASSERT_GC_OBJECT_INHERITS(thisObj, info());
index 8bafeb0..385782c 100644 (file)
@@ -94,8 +94,8 @@ private:
 
     static void getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode);
 
-    static JSC::EncodedJSValue propertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
-    static JSC::EncodedJSValue methodGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
+    static JSC::EncodedJSValue propertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
+    static JSC::EncodedJSValue methodGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
     static JSC::JSObject* throwInvalidAccessError(JSC::ExecState*);
 
     NPRuntimeObjectMap* m_objectMap;