From 9bba5ab0c0ab6d17baf95622bf6cb46fe78b66e6 Mon Sep 17 00:00:00 2001
From: Yijia Huang <hyjorc1@gmail.com>
Date: Sun, 27 Oct 2024 21:10:38 -0700
Subject: [PATCH] [JSC] Fix iteratorHelperPrivateFuncCreate since
 underlyingIterator can be jsNull
 https://bugs.webkit.org/show_bug.cgi?id=282158 rdar://138642507

Reviewed by Mark Lam.

The internal field underlyingIterator of iteratorHelper can be null in
JSIteratorConstructor.js, and its nullability is checked in
JSIteratorHelperPrototype.js. This patch addresses that case by directly
passing JSValue in JSIteratorHelper::create.

* Source/JavaScriptCore/runtime/JSIteratorHelper.cpp:
(JSC::JSIteratorHelper::create):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSIteratorHelper.h:

Canonical link: https://commits.webkit.org/285757@main
---
 Source/JavaScriptCore/runtime/JSIteratorHelper.cpp | 5 +++--
 Source/JavaScriptCore/runtime/JSIteratorHelper.h   | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp b/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp
index 2faf072c5e99f..941da23812c36 100644
--- a/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp
+++ b/Source/JavaScriptCore/runtime/JSIteratorHelper.cpp
@@ -43,8 +43,9 @@ JSIteratorHelper* JSIteratorHelper::createWithInitialValues(VM& vm, Structure* s
     return result;
 }
 
-JSIteratorHelper* JSIteratorHelper::create(VM& vm, Structure* structure, JSObject* generator, JSObject* underlyingIterator)
+JSIteratorHelper* JSIteratorHelper::create(VM& vm, Structure* structure, JSValue generator, JSValue underlyingIterator)
 {
+    ASSERT(generator.isObject() && (underlyingIterator.isObject() || underlyingIterator.isNull()));
     JSIteratorHelper* result = new (NotNull, allocateCell<JSIteratorHelper>(vm)) JSIteratorHelper(vm, structure);
     result->finishCreation(vm);
     result->internalField(Field::Generator).set(vm, result, generator);
@@ -74,7 +75,7 @@ DEFINE_VISIT_CHILDREN(JSIteratorHelper);
 
 JSC_DEFINE_HOST_FUNCTION(iteratorHelperPrivateFuncCreate, (JSGlobalObject* globalObject, CallFrame* callFrame))
 {
-    return JSValue::encode(JSIteratorHelper::create(globalObject->vm(), globalObject->iteratorHelperStructure(), jsCast<JSObject*>(callFrame->uncheckedArgument(0)), jsCast<JSObject*>(callFrame->uncheckedArgument(1))));
+    return JSValue::encode(JSIteratorHelper::create(globalObject->vm(), globalObject->iteratorHelperStructure(), callFrame->uncheckedArgument(0), callFrame->uncheckedArgument(1)));
 }
 
 } // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSIteratorHelper.h b/Source/JavaScriptCore/runtime/JSIteratorHelper.h
index 7428041fa004f..c665638a87b74 100644
--- a/Source/JavaScriptCore/runtime/JSIteratorHelper.h
+++ b/Source/JavaScriptCore/runtime/JSIteratorHelper.h
@@ -57,7 +57,7 @@ class JSIteratorHelper final : public JSInternalFieldObjectImpl<2> {
     WriteBarrier<Unknown>& internalField(Field field) { return Base::internalField(static_cast<uint32_t>(field)); }
 
     static JSIteratorHelper* createWithInitialValues(VM&, Structure*);
-    static JSIteratorHelper* create(VM&, Structure*, JSObject* generator, JSObject* underlyingIterator);
+    static JSIteratorHelper* create(VM&, Structure*, JSValue generator, JSValue underlyingIterator);
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue);
 
     DECLARE_INFO;