debug-evaluate: do not return JSGlobalObject instead of JSGlobalProxy

alexkozy · Commit Bot · commit 215608f45349 · 2018-08-31T14:20:39.000Z
DebugEvaluate contains code since 2009 that bypasses JSGlobalProxy and returns JSGlobalObject when result of expression is global proxy. This behavior may be dangerous: - JSGlobalObject does not perform security checks, - some parts of V8 code do not ready for JSGlobalObject, e.g., SetHashAndUpdateProperties function will crash on DCHECK if we will try to store JSGlobalObject to map. At the same time it looks like there is no any valid use case for it. R=yangguo@chromium.org Bug: none Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ib0e35d5ae9ef47318c866e44c5c6856e34ed05a5 Reviewed-on: https://chromium-review.googlesource.com/1198764 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#55550}
diff --git a/src/debug/debug-evaluate.cc b/src/debug/debug-evaluate.cc
@@ -140,25 +140,13 @@ MaybeHandle<Object> DebugEvaluate::Evaluate(
       Object);
 
   Handle<Object> result;
-  bool sucess = false;
+  bool success = false;
   if (throw_on_side_effect) isolate->debug()->StartSideEffectCheckMode();
-  sucess = Execution::Call(isolate, eval_fun, receiver, 0, nullptr)
-               .ToHandle(&result);
+  success = Execution::Call(isolate, eval_fun, receiver, 0, nullptr)
+                .ToHandle(&result);
   if (throw_on_side_effect) isolate->debug()->StopSideEffectCheckMode();
-  if (!sucess) {
-    DCHECK(isolate->has_pending_exception());
-    return MaybeHandle<Object>();
-  }
-
-  // Skip the global proxy as it has no properties and always delegates to the
-  // real global object.
-  if (result->IsJSGlobalProxy()) {
-    PrototypeIterator iter(isolate, Handle<JSGlobalProxy>::cast(result));
-    // TODO(verwaest): This will crash when the global proxy is detached.
-    result = PrototypeIterator::GetCurrent<JSObject>(iter);
-  }
-
-  return result;
+  if (!success) DCHECK(isolate->has_pending_exception());
+  return success ? result : MaybeHandle<Object>();
 }
 
 Handle<SharedFunctionInfo> DebugEvaluate::ContextBuilder::outer_info() const {
diff --git a/test/inspector/debugger/this-in-arrow-function-expected.txt b/test/inspector/debugger/this-in-arrow-function-expected.txt
@@ -98,10 +98,10 @@ This on callFrame:
 }
 This in evaluateOnCallFrame:
 {
-    className : Object
-    description : Object
+    className : global
+    description : global
     objectId : <objectId>
     type : object
 }
-Values equal: false
+Values equal: true
 

Original file line number	Diff line number	Diff line change
`@@ -98,10 +98,10 @@ This on callFrame:`
`98`	`98`	`}`
`99`	`99`	`This in evaluateOnCallFrame:`
`100`	`100`	`{`
`101`		`- className : Object`
`102`		`- description : Object`
	`101`	`+ className : global`
	`102`	`+ description : global`
`103`	`103`	`objectId : <objectId>`
`104`	`104`	`type : object`
`105`	`105`	`}`
`106`		`-Values equal: false`
	`106`	`+Values equal: true`
`107`	`107`