debug-evaluate: do not return JSGlobalObject instead of JSGlobalProxy

DebugEvaluate contains code since 2009 that bypasses JSGlobalProxy and returns JSGlobalObject when result of expression is global proxy. This behavior may be dangerous: - JSGlobalObject does not perform security checks, - some parts of V8 code do not ready for JSGlobalObject, e.g., SetHashAndUpdateProperties function will crash on DCHECK if we will try to store JSGlobalObject to map. At the same time it looks like there is no any valid use case for it. R=yangguo@chromium.org Bug: none Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ib0e35d5ae9ef47318c866e44c5c6856e34ed05a5 Reviewed-on: https://chromium-review.googlesource.com/1198764Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#55550}

debug-evaluate: do not return JSGlobalObject instead of JSGlobalProxy
DebugEvaluate contains code since 2009 that bypasses JSGlobalProxy and returns JSGlobalObject when result of expression is global proxy. This behavior may be dangerous: - JSGlobalObject does not perform security checks, - some parts of V8 code do not ready for JSGlobalObject, e.g., SetHashAndUpdateProperties function will crash on DCHECK if we will try to store JSGlobalObject to map. At the same time it looks like there is no any valid use case for it. R=yangguo@chromium.org Bug: none Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ib0e35d5ae9ef47318c866e44c5c6856e34ed05a5 Reviewed-on: https://chromium-review.googlesource.com/1198764Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#55550}
215608f4 · Alexey Kozyatinskiy · Commit Bot · b4904de3 · 215608f4 · 215608f4
Commit 215608f4 authored Aug 31, 2018 by Alexey Kozyatinskiy Committed by Commit Bot Aug 31, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 20 deletions

debug-evaluate.cc src/debug/debug-evaluate.cc +5 -17

this-in-arrow-function-expected.txt test/inspector/debugger/this-in-arrow-function-expected.txt +3 -3

No files found.
--- a/src/debug/debug-evaluate.cc
+++ b/src/debug/debug-evaluate.cc
@@ -140,25 +140,13 @@ MaybeHandle<Object> DebugEvaluate::Evaluate(
      Object);

  Handle<Object> result;
-  bool sucess = false;
+  bool success = false;
  if (throw_on_side_effect) isolate->debug()->StartSideEffectCheckMode();
-  sucess = Execution::Call(isolate, eval_fun, receiver, 0, nullptr)
-               .ToHandle(&result);
+  success = Execution::Call(isolate, eval_fun, receiver, 0, nullptr)
+                .ToHandle(&result);
  if (throw_on_side_effect) isolate->debug()->StopSideEffectCheckMode();
-  if (!sucess) {
-    DCHECK(isolate->has_pending_exception());
-    return MaybeHandle<Object>();
-  }
-
-  // Skip the global proxy as it has no properties and always delegates to the
-  // real global object.
-  if (result->IsJSGlobalProxy()) {
-    PrototypeIterator iter(isolate, Handle<JSGlobalProxy>::cast(result));
-    // TODO(verwaest): This will crash when the global proxy is detached.
-    result = PrototypeIterator::GetCurrent<JSObject>(iter);
-  }
-
-  return result;
+  if (!success) DCHECK(isolate->has_pending_exception());
+  return success ? result : MaybeHandle<Object>();
 }

 Handle<SharedFunctionInfo> DebugEvaluate::ContextBuilder::outer_info() const {

--- a/test/inspector/debugger/this-in-arrow-function-expected.txt
+++ b/test/inspector/debugger/this-in-arrow-function-expected.txt
@@ -98,10 +98,10 @@ This on callFrame:
 }
 This in evaluateOnCallFrame:
 {
-    className : Object
-    description : Object
+    className : global
+    description : global
    objectId : <objectId>
    type : object
 }
-Values equal: false
+Values equal: true