LibJS: Don't set a prototype property on async functions

This is now as defined in the spec. However since we execute async functions in bytecode by transforming it to a generator function it must have a prototype for the GeneratorObject. We check whether it is an async function and in that case use the hardcoded generator object prototype. This also ensures that user code cannot override this property thus preventing exposing internal implementation details.
Author: https://github.com/davidot Commit: https://github.com/SerenityOS/serenity/commit/5d0f666f22d Pull-request: https://github.com/SerenityOS/serenity/pull/10926 Reviewed-by: https://github.com/linusg ✅
2025-04-21 20:15:17 +00:00 · 2021-11-15 01:48:55 +01:00 · 2021-11-15 01:48:55 +01:00 · 5d0f666f22 · 2024-07-18 00:53:21 +09:00
commit 5d0f666f22
parent de46a2cff1
3 changed files with 13 additions and 2 deletions
--- a/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp
@ -101,10 +101,11 @@ void ECMAScriptFunctionObject::initialize(GlobalObject& global_object)
            MUST(prototype->define_property_or_throw(vm.names.constructor, { .value = this, .writable = true, .enumerable = false, .configurable = true }));
            break;
        case FunctionKind::Generator:
-        case FunctionKind::Async:
            // prototype is "g1.prototype" in figure-2 (https://tc39.es/ecma262/img/figure-2.png)
            prototype = global_object.generator_object_prototype();
            break;
+        case FunctionKind::Async:
+            break;
        }
        define_direct_property(vm.names.prototype, prototype, Attribute::Writable);
    }
--- a/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.h
+++ b/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.h
@ -75,6 +75,8 @@ public:
    // Equivalent to absence of [[Construct]]
    virtual bool has_constructor() const override { return m_kind == FunctionKind::Regular && !m_is_arrow_function; }

+    FunctionKind kind() const { return m_kind; }
+
 protected:
    virtual bool is_strict_mode() const final { return m_strict; }

--- a/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
@ -16,7 +16,15 @@ namespace JS {
 ThrowCompletionOr<GeneratorObject*> GeneratorObject::create(GlobalObject& global_object, Value initial_value, ECMAScriptFunctionObject* generating_function, ExecutionContext execution_context, Bytecode::RegisterWindow frame)
 {
    // This is "g1.prototype" in figure-2 (https://tc39.es/ecma262/img/figure-2.png)
-    auto generating_function_prototype = TRY(generating_function->get(global_object.vm().names.prototype));
+    Value generating_function_prototype;
+    if (generating_function->kind() == FunctionKind::Async) {
+        // We implement async functions by transforming them to generator function in the bytecode
+        // interpreter. However an async function does not have a prototype and should not be
+        // changed thus we hardcode the prototype.
+        generating_function_prototype = global_object.generator_object_prototype();
+    } else {
+        generating_function_prototype = TRY(generating_function->get(global_object.vm().names.prototype));
+    }
    auto* generating_function_prototype_object = TRY(generating_function_prototype.to_object(global_object));
    auto object = global_object.heap().allocate<GeneratorObject>(global_object, global_object, *generating_function_prototype_object, move(execution_context));
    object->m_generating_function = generating_function;