IDB serialization of some DOM object types crashes the Networking process due to incorrect global object type (WPT IndexedDB/structured-clone.any tests fail)

https://bugs.webkit.org/show_bug.cgi?id=210735
<rdar://problem/62045703>

Patch by Sihui Liu <[email protected]> on 2020-07-16
Reviewed by Yusuke Suzuki.

Source/WebCore:

In r239746, IDB went back to use JSGlobalObject for serialization and deserialization. However, in our current
implementation, there is a strong assumption that DOM JS objects are tied to JSDOMGlobalObject, which is
derived from JSGlobalObject. For example, in SerializedScriptValue.cpp, we cast the global object to
JSDOMGlobalObject in many places.

We recently notice this issue when we enable some wpt test, which has been disabled since it was imported as
some types were not supported. The test fails as DOMMatrix object requires its global object to be
JSDOMGlobalObject. To fix this, introduce a new Class JSIDBSerializationGlobalObject, derived from
JSDOMGlobalObject, and use it for IDB serialization.

Tests: LayoutTests/storage/indexeddb/structured-clone.html
       LayoutTests/storage/indexeddb/structured-clone-private.html

* Modules/indexeddb/server/IDBSerializationContext.cpp:
(WebCore::IDBServer::IDBSerializationContext::initializeVM):
* Modules/indexeddb/server/IDBSerializationContext.h:
* Sources.txt:
* WebCore.xcodeproj/project.pbxproj:
* bindings/js/JSDOMGlobalObject.cpp:
(WebCore::JSDOMGlobalObject::scriptExecutionContext const):
* bindings/js/JSIDBSerializationGlobalObject.cpp: Added.
(WebCore::JSIDBSerializationGlobalObject::JSIDBSerializationGlobalObject):
(WebCore::JSIDBSerializationGlobalObject::create):
(WebCore::JSIDBSerializationGlobalObject::finishCreation):
(WebCore::JSIDBSerializationGlobalObject::subspaceForImpl):
(WebCore::JSIDBSerializationGlobalObject::destroy):
* bindings/js/JSIDBSerializationGlobalObject.h: Added.
* bindings/js/WebCoreJSClientData.cpp:
(WebCore::JSVMClientData::JSVMClientData):
* bindings/js/WebCoreJSClientData.h:
(WebCore::JSVMClientData::idbSerializationSpace):
* dom/EmptyScriptExecutionContext.h: Added.
* worklets/WorkletScriptController.h:

LayoutTests:

* platform/ios/TestExpectations:
* platform/wk2/TestExpectations:
* storage/indexeddb/resources/structured-clone.js:
(testPrimitiveValue):
(testBoolean):
(testBooleanObject):
(testString):
(testStringObject):
(testNumber):
(testNumberObject):
(testBigInt):
(testBigIntObject.testOneBigIntObject):
(testBigIntObject):
(testDateObject):
(testTypedArray.testTypedArrayValue):
(testArrays):
(testGeometryTypes.testOneGeometryType):
(testRTCCertificate.promise.then):
(testRTCCertificate):
(testCryptoKey.promise.then):
(testBadTypes): Deleted.
* storage/indexeddb/structured-clone-expected.txt:
* storage/indexeddb/structured-clone-private-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@264486 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

LayoutTests/ChangeLog

@@ -1,3 +1,35 @@
+2020-07-16  Sihui Liu  <[email protected]>
+
+        IDB serialization of some DOM object types crashes the Networking process due to incorrect global object type (WPT IndexedDB/structured-clone.any tests fail)
+        https://bugs.webkit.org/show_bug.cgi?id=210735
+        <rdar://problem/62045703>
+
+        Reviewed by Yusuke Suzuki.
+
+        * platform/ios/TestExpectations:
+        * platform/wk2/TestExpectations:
+        * storage/indexeddb/resources/structured-clone.js:
+        (testPrimitiveValue):
+        (testBoolean):
+        (testBooleanObject):
+        (testString):
+        (testStringObject):
+        (testNumber):
+        (testNumberObject):
+        (testBigInt):
+        (testBigIntObject.testOneBigIntObject):
+        (testBigIntObject):
+        (testDateObject):
+        (testTypedArray.testTypedArrayValue):
+        (testArrays):
+        (testGeometryTypes.testOneGeometryType):
+        (testRTCCertificate.promise.then):
+        (testRTCCertificate):
+        (testCryptoKey.promise.then):
+        (testBadTypes): Deleted.
+        * storage/indexeddb/structured-clone-expected.txt:
+        * storage/indexeddb/structured-clone-private-expected.txt:
+
 2020-07-16  Hector Lopez  <[email protected]>
 
         [ macOS iOS ] imported/mozilla/svg/blend-saturation.svg is passing and need expectations removed 

LayoutTests/platform/ios/TestExpectations

@@ -1408,8 +1408,6 @@ webkit.org/b/181752 storage/indexeddb/removed-private.html [ Failure ]
 webkit.org/b/181752 storage/indexeddb/removed.html [ Failure ]
 webkit.org/b/181752 storage/indexeddb/request-leak-private.html [ Failure ]
 webkit.org/b/181752 storage/indexeddb/request-leak.html [ Failure ]
-webkit.org/b/181752 storage/indexeddb/structured-clone-private.html [ Failure ]
-webkit.org/b/181752 storage/indexeddb/structured-clone.html [ Failure ]
 webkit.org/b/181752 storage/indexeddb/wasm-exceptions.html [ Failure ]
 webkit.org/b/181752 storage/indexeddb/database-quota-private.html [ Skip ]
 webkit.org/b/181752 storage/indexeddb/database-quota.html [ Skip ]

LayoutTests/platform/wk2/TestExpectations

@@ -657,8 +657,6 @@ media/video-src-blob.html
 security/contentSecurityPolicy/image-with-blob-url-allowed-by-img-src-star-with-AllowContentSecurityPolicySourceStarToMatchAnyProtocol-enabled.html
 security/contentSecurityPolicy/image-with-blob-url-blocked-by-img-src-star.html
 security/contentSecurityPolicy/video-with-blob-url-allowed-by-media-src-star.html
-storage/indexeddb/structured-clone.html
-storage/indexeddb/structured-clone-private.html
 
 # WebKitTestRunner doesn't have eventSender.fireKeyboardEventsToElement
 platform/mac/fast/events/objc-keyboard-event-creation.html