From d071d1a7b1ac9810ece1e1acf8ea76491fe8b697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bargull?= Date: Mon, 9 Sep 2024 06:16:17 +0000 Subject: [PATCH] Bug 1916990 - Part 5: Assert WithEnvironmentObject::withThis doesn't return a Window object. r=spidermonkey-reviewers,sfink Differential Revision: https://phabricator.services.mozilla.com/D221211 --- js/src/vm/EnvironmentObject.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/js/src/vm/EnvironmentObject.cpp b/js/src/vm/EnvironmentObject.cpp index 2ddb4351edca..b1f36c5d28e6 100644 --- a/js/src/vm/EnvironmentObject.cpp +++ b/js/src/vm/EnvironmentObject.cpp @@ -1222,8 +1222,8 @@ ClassBodyLexicalEnvironmentObject::createWithoutEnclosing( JSObject* ExtensibleLexicalEnvironmentObject::thisObject() const { JSObject* obj = &getReservedSlot(THIS_VALUE_OR_SCOPE_SLOT).toObject(); - // Windows must never be exposed to script. setWindowProxyThisValue should - // have set this to the WindowProxy. + // Windows must never be exposed to script. initThisObject should have set + // this to the WindowProxy. MOZ_ASSERT(!IsWindow(obj)); // WarpBuilder relies on the return value not being nursery-allocated for the @@ -3438,7 +3438,13 @@ JSObject& WithEnvironmentObject::object() const { } JSObject* WithEnvironmentObject::withThis() const { - return &getReservedSlot(THIS_SLOT).toObject(); + JSObject* obj = &getReservedSlot(THIS_SLOT).toObject(); + + // Windows must never be exposed to script. WithEnvironmentObject::create + // should have set this to the WindowProxy. + MOZ_ASSERT(!IsWindow(obj)); + + return obj; } bool WithEnvironmentObject::isSyntactic() const {