[JSC] Fix iteratorHelperPrivateFuncCreate since underlyingIterator ca…

…n be jsNull https://bugs.webkit.org/show_bug.cgi?id=282158 rdar://138642507 Reviewed by Mark Lam. The internal field underlyingIterator of iteratorHelper can be null in JSIteratorConstructor.js, and its nullability is checked in JSIteratorHelperPrototype.js. This patch addresses that case by directly passing JSValue in JSIteratorHelper::create. * Source/JavaScriptCore/runtime/JSIteratorHelper.cpp: (JSC::JSIteratorHelper::create): (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/JSIteratorHelper.h: Canonical link: https://commits.webkit.org/285757@main
jelee53 · Oct 28, 2024 · 9bba5ab · 9bba5ab
1 parent 0d6e1aa
commit 9bba5ab
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp b/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp
@@ -43,8 +43,9 @@ JSIteratorHelper* JSIteratorHelper::createWithInitialValues(VM& vm, Structure* s
     return result;
 }
 
-JSIteratorHelper* JSIteratorHelper::create(VM& vm, Structure* structure, JSObject* generator, JSObject* underlyingIterator)
+JSIteratorHelper* JSIteratorHelper::create(VM& vm, Structure* structure, JSValue generator, JSValue underlyingIterator)
 {
+    ASSERT(generator.isObject() && (underlyingIterator.isObject() || underlyingIterator.isNull()));
     JSIteratorHelper* result = new (NotNull, allocateCell<JSIteratorHelper>(vm)) JSIteratorHelper(vm, structure);
     result->finishCreation(vm);
     result->internalField(Field::Generator).set(vm, result, generator);
@@ -74,7 +75,7 @@ DEFINE_VISIT_CHILDREN(JSIteratorHelper);
 
 JSC_DEFINE_HOST_FUNCTION(iteratorHelperPrivateFuncCreate, (JSGlobalObject* globalObject, CallFrame* callFrame))
 {
-    return JSValue::encode(JSIteratorHelper::create(globalObject->vm(), globalObject->iteratorHelperStructure(), jsCast<JSObject*>(callFrame->uncheckedArgument(0)), jsCast<JSObject*>(callFrame->uncheckedArgument(1))));
+    return JSValue::encode(JSIteratorHelper::create(globalObject->vm(), globalObject->iteratorHelperStructure(), callFrame->uncheckedArgument(0), callFrame->uncheckedArgument(1)));
 }
 
 } // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSIteratorHelper.h b/Source/JavaScriptCore/runtime/JSIteratorHelper.h
@@ -57,7 +57,7 @@ class JSIteratorHelper final : public JSInternalFieldObjectImpl<2> {
     WriteBarrier<Unknown>& internalField(Field field) { return Base::internalField(static_cast<uint32_t>(field)); }
 
     static JSIteratorHelper* createWithInitialValues(VM&, Structure*);
-    static JSIteratorHelper* create(VM&, Structure*, JSObject* generator, JSObject* underlyingIterator);
+    static JSIteratorHelper* create(VM&, Structure*, JSValue generator, JSValue underlyingIterator);
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue);
 
     DECLARE_INFO;