mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-13 12:31:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibJS: Do more comprehensive check if next() fast path is possible

Browse source 
Before this change each built-in iterator object has a boolean
`m_next_method_was_redefined`. If user code later changed the iterator’s
prototype (e.g. `Object.setPrototypeOf()`), we still believed the
built-in fast-path was safe and skipped the user supplied override,
producing wrong results.

With this change
`BuiltinIterator::as_builtin_iterator_if_next_is_not_redefined()` looks
up the current `next` property and verifies that it is still the
built-in native function.
This commit is contained in:
Aliaksandr Kalenik 2025-06-01 18:44:18 +02:00 committed by Alexander Kalenik
parent 0fcb574041
commit 285bc005cb
Notes: github-actions[bot] 2025-06-01 22:16:38 +00:00
25 changed files with 168 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

32
Libraries/LibJS/Bytecode/Builtins.h
View file

@ -12,20 +12,24 @@
namespace JS::Bytecode {
// TitleCaseName, snake_case_name, base, property, argument_count
#define JS_ENUMERATE_BUILTINS(O) \
O(MathAbs, math_abs, Math, abs, 1) \
O(MathLog, math_log, Math, log, 1) \
O(MathPow, math_pow, Math, pow, 2) \
O(MathExp, math_exp, Math, exp, 1) \
O(MathCeil, math_ceil, Math, ceil, 1) \
O(MathFloor, math_floor, Math, floor, 1) \
O(MathImul, math_imul, Math, imul, 2) \
O(MathRandom, math_random, Math, random, 0) \
O(MathRound, math_round, Math, round, 1) \
O(MathSqrt, math_sqrt, Math, sqrt, 1) \
O(MathSin, math_sin, Math, sin, 1) \
O(MathCos, math_cos, Math, cos, 1) \
O(MathTan, math_tan, Math, tan, 1)
#define JS_ENUMERATE_BUILTINS(O) \
O(MathAbs, math_abs, Math, abs, 1) \
O(MathLog, math_log, Math, log, 1) \
O(MathPow, math_pow, Math, pow, 2) \
O(MathExp, math_exp, Math, exp, 1) \
O(MathCeil, math_ceil, Math, ceil, 1) \
O(MathFloor, math_floor, Math, floor, 1) \
O(MathImul, math_imul, Math, imul, 2) \
O(MathRandom, math_random, Math, random, 0) \
O(MathRound, math_round, Math, round, 1) \
O(MathSqrt, math_sqrt, Math, sqrt, 1) \
O(MathSin, math_sin, Math, sin, 1) \
O(MathCos, math_cos, Math, cos, 1) \
O(MathTan, math_tan, Math, tan, 1) \
O(ArrayIteratorPrototypeNext, array_iterator_prototype_next, ArrayIteratorPrototype, next, 0) \
O(MapIteratorPrototypeNext, map_iterator_prototype_next, MapIteratorPrototype, next, 0) \
O(SetIteratorPrototypeNext, set_iterator_prototype_next, SetIteratorPrototype, next, 0) \
O(StringIteratorPrototypeNext, string_iterator_prototype_next, StringIteratorPrototype, next, 0)
enum class Builtin : u8 {
#define DEFINE_BUILTIN_ENUM(name, ...) name,

7
Libraries/LibJS/Bytecode/Interpreter.cpp
View file

@ -1799,7 +1799,7 @@ class JS_API PropertyNameIterator final
public:
virtual ~PropertyNameIterator() override = default;
BuiltinIterator* as_builtin_iterator_if_next_is_not_redefined() override { return this; }
BuiltinIterator* as_builtin_iterator_if_next_is_not_redefined(IteratorRecord const&) override { return this; }
ThrowCompletionOr<void> next(VM&, bool& done, Value& value) override
{
while (true) {
@ -2826,6 +2826,11 @@ static ThrowCompletionOr<Value> dispatch_builtin_call(Bytecode::Interpreter& int
return TRY(MathObject::cos_impl(interpreter.vm(), interpreter.get(arguments[0])));
case Builtin::MathTan:
return TRY(MathObject::tan_impl(interpreter.vm(), interpreter.get(arguments[0])));
case Builtin::ArrayIteratorPrototypeNext:
case Builtin::MapIteratorPrototypeNext:
case Builtin::SetIteratorPrototypeNext:
case Builtin::StringIteratorPrototypeNext:
VERIFY_NOT_REACHED();
case Bytecode::Builtin::__Count:
VERIFY_NOT_REACHED();
}