mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-05-12 14:12:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
20616 commits 1 branch 0 tags 462 MiB
Commit graph

242 commits

Author SHA1 Message Date
Andreas Kling
df8f074cf6 LibJS: Make TypedArray::data() return a Span<T> 
This inserts bounds checking assertions whenever we're reading/writing
a typed array from JS.
 2021-02-21 14:21:26 +01:00
Breno Silva
cfb0f3309d LibJS: Implement tests for Array.prototype.flat 2021-02-18 00:22:45 +01:00
Kesse Jones
3940635ed3 LibJS: Implement Array.prototype.flat 2021-02-18 00:22:45 +01:00
Andreas Kling
ea81a4a529 LibJS: Avoid an unnecessary Vector copy in IndexedProperties::indices() 2021-02-17 15:23:32 +01:00
Andreas Kling
ee1b58bf41 LibJS: Use all_of() in JS::Value's BigInt validation 2021-02-17 15:22:21 +01:00
Andreas Kling
9efd80f100 LibJS: Use fabs() instead of abs() in JS::Value 
abs() takes an int, so this would only work correctly for numbers
smaller than INT_MAX.
 2021-02-15 13:58:24 +01:00
Linus Groh
4e2a961a3d LibJS: Add BigInt equality tests for some large numbers 2021-02-14 10:51:00 +01:00
Linus Groh
2ed7f75e95 LibJS: Return empty value on exception in Date.parse(), not NaN 
This is discarded anyway, so let's not confuse ourselves by returning a
NaN number value that's not going to be used.
 2021-02-13 19:58:51 +01:00
Linus Groh
db340ae7aa LibJS: Add missing exception check in Date() constructor 2021-02-13 19:58:51 +01:00
Andreas Kling
e1dbf74f15 LibJS: Add some basic freelist validation for the GC heap 
When using the freelist, we now validate that the entries are actual
cell pointers within the current HeapBlock.
 2021-02-13 00:40:49 +01:00
Andreas Kling
e8d3856736 LibJS: Randomize GC heap block locations 
Allocate GC heap blocks with mmap(MAP_RANDOMIZED) for ASLR.

This may very well be too aggressive in terms of fragmentation, and we
can figure out ways to scale that back once it becomes a big problem.

For now, this makes the GC heap a lot less predictable for an attacker.
 2021-02-12 19:15:59 +01:00
Andreas Kling
a50ba0a491 LibSyntax: Make rehighlight() take Gfx::Palette as by const-reference 2021-02-11 23:52:39 +01:00
Andreas Kling
70bd1724db LibJS: Include <typeinfo> in AST.cpp again 
Linus points out that oss-fuzz wants this to be there.
 2021-02-10 12:21:14 +01:00
Andreas Kling
635a5eec75 LibJS: Remove a whole bunch of unnecessary #includes 2021-02-10 09:13:29 +01:00
AnotherTest
09a43969ba Everywhere: Replace dbgln<flag>(...) with dbgln_if(flag, ...) 
Replacement made by `find Kernel Userland -name '*.h' -o -name '*.cpp' | sed -i -Ee 's/dbgln\b<(\w+)>\(/dbgln_if(\1, /g'`
 2021-02-08 18:08:55 +01:00
Linus Groh
83c29bd8d7 LibJS: Don't assume match for each capture group in RegExp.prototype.exec() 
This was not implementing the following part of the spec correctly:

    27. For each integer i such that i ≥ 1 and i ≤ n, do
        a. Let captureI be ith element of r's captures List.
        b. If captureI is undefined, let capturedValue be undefined.

Expecting a capture group match to exist for each of the RegExp's
capture groups would assert in Vector's operator[] if that's not the
case, for example:

    /(foo)(bar)?/.exec("foo")

Append undefined instead.

Fixes #5256.
 2021-02-08 18:01:23 +01:00
Andreas Kling
ddbf20ecf6 LibSyntax+LibGUI+LibJS: Move JS syntax highlighter to LibJS 
This is a little bit messy but the basic idea is:

Syntax::Highlighter now has a Syntax::HighlighterClient to talk to the
outside world. It mostly communicates in LibGUI primitives that are
available in headers, so inlineable.

GUI::TextEditor inherits from Syntax::HighlighterClient.

This let us to move GUI::JSSyntaxHighlighter to JS::SyntaxHighlighter
and remove LibGUI's dependency on LibJS.
 2021-02-07 16:56:02 +01:00
Andreas Kling
767ff06f56 LibGfx: Make Color(NamedColor) inline and constexpr 2021-02-07 16:51:17 +01:00
Andreas Kling
3620a6e054 LibJS: Function must mark its home object 2021-02-07 10:57:07 +01:00
Andreas Kling
7df3b95126 LibJS: GlobalObject must mark builtin prototypes 
Failing to mark them leads to use-after-free since the GlobalObject
cached prototypes are used for new NumberObject, StringObject, etc.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30319
 2021-02-05 14:53:16 +01:00
Andreas Kling
16a0e7a66d LibJS: Improve correctness of rounding and bitwise operations 
Patch from Anonymous
 2021-02-05 09:38:45 +01:00
Andreas Kling
91db36064f LibJS: Fix obviously wrong \uXXXX serialization in JSONObject 2021-02-04 00:09:04 +01:00
Linus Groh
50957ec78e LibJS: Fix variable name coding style int{Part => _part} 
...and rename intpart_end to int_part_end for consistency.
 2021-02-02 16:52:55 +01:00
Linus Groh
c41d340983 LibJS: Use VM::names for Object::invoke() function names 2021-02-01 10:34:45 +01:00
Linus Groh
f9b1a9e60c LibJS: Let RegExp.string get RegExp.prototype from the global object directly 
We can't assume that RegExp on the global object is still the original
constructor, or an object at all.

This makes '--RegExp<</<</</,/</x/' work. :^)

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29740
 2021-01-29 20:50:22 +01:00
Linus Groh
509e5a3045 LibJS: Fix crash when printing error for missing class extends value prototype 
If it's missing we get an empty value, but we can't use that with
to_string_without_side_effects() so we have to use undefined as the
default.

Fixes #5142.
 2021-01-28 10:24:18 +01:00
Andreas Kling
803a20fa86 LibJS: Call the correct base class in LexicalEnvironment::visit_edges() 
We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.

Found by Fuzzilli.

Fixes #5140.
 2021-01-28 10:15:24 +01:00
Andreas Kling
f6c6047e49 LibJS: Add overflow checks when creating TypedArray from ArrayBuffer 
Thanks to Iliad for finding this! :^)
 2021-01-27 07:57:07 +01:00
Andreas Kling
f3f2d77624 LibJS: Remove an unused TypedArray constructor 2021-01-25 23:23:33 +01:00
asynts
eea72b9b5c Everywhere: Hook up remaining debug macros to Debug.h. 2021-01-25 09:47:36 +01:00
asynts
acdcf59a33 Everywhere: Remove unnecessary debug comments. 
It would be tempting to uncomment these statements, but that won't work
with the new changes.

This was done with the following commands:

    find . \( -name '*.cpp' -o -name '*.h' -o -name '*.in' \) -not -path './Toolchain/*' -not -path './Build/*' -exec awk -i inplace '$0 !~ /\/\/#define/ { if (!toggle) { print; } else { toggle = !toggle } } ; $0 ~/\/\/#define/ { toggle = 1 }' {} \;

    find . \( -name '*.cpp' -o -name '*.h' -o -name '*.in' \) -not -path './Toolchain/*' -not -path './Build/*' -exec awk -i inplace '$0 !~ /\/\/ #define/ { if (!toggle) { print; } else { toggle = !toggle } } ; $0 ~/\/\/ #define/ { toggle = 1 }' {} \;
 2021-01-25 09:47:36 +01:00
Linus Groh
02cca92763 LibJS: Set length of TypedArray constructors to 3 
https://tc39.es/ecma262/#sec-typedarray-constructors

    Each TypedArray constructor [...] has a "length" property whose
    value is 3.
 2021-01-24 22:24:10 +01:00
Andreas Kling
7a71d4b887 LibJS: Add some assertions and tests for TypedArray limitations 2021-01-24 19:08:44 +01:00
Andreas Kling
0e3ee03e2b LibJS: Throw exception on too large TypedArray construction request 
We will now throw a RangeError in these cases:

* new TypedArray with >= INT32_MAX entries
* new TypedArray whose ArrayBuffer allocation size computation would
  cause a 32-bit unsigned overflow.
 2021-01-24 18:55:06 +01:00
Linus Groh
f37d3f25e6 LibJS: Remove redundant exception check from ClassExpression::execute() 
as_object() cannot fail, leftover from ea55453.
 2021-01-24 00:40:22 +01:00
Linus Groh
766f30f593 LibJS: Check if class extends value has a valid prototype 
If we have a function as class extends value, we still cannot assume
that it has a prototype property and that property has a function or
null as its value - blindly calling to_object() on it may fail.

Fixes #5075.
 2021-01-24 00:09:18 +01:00
Nico Weber
8ccd8b4a6f LibJS: Include <typeinfo> in AST.cpp 
Without this, the oss-fuzz build says:

../Userland/Libraries/LibJS/AST.cpp:58:34: error: member access into incomplete type 'const std::type_info'
    return demangle(typeid(*this).name()).substring(4);
                                 ^
 2021-01-20 21:00:27 +01:00
Andreas Kling
81839ea1bd LibJS: Add JS::NativeFunction to the forwarding header 2021-01-18 12:18:29 +01:00
Andreas Kling
4da913bfab LibJS: Replace ASTNode::class_name() with RTTI 
This is only used for debugging anyway, so performance doesn't matter
too much.
 2021-01-17 14:36:53 +01:00
Linus Groh
f253f68768 LibJS: Rename ErrorType::ProxyGetOwnDescriptor{Undef => Undefined}Return 
This seems like an unnecessary and uncommon abbreviation.
 2021-01-14 08:13:32 +01:00
Linus Groh
cab3049dcc LibJS: Rename ErrorType::ToObjectNullOr{Undef => Undefined} 
This seems like an unnecessary and uncommon abbreviation.
 2021-01-14 08:13:32 +01:00
Andreas Kling
13d7c09125 Libraries: Move to Userland/Libraries/ 2021-01-12 12:17:46 +01:00