RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-31 10:42:45 +00:00
Code Issues Activity Actions
16749 commits 1 branch 0 tags 230 MiB
Commit graph

23 commits

Author SHA1 Message Date
Linus Groh
2ed7f75e95 LibJS: Return empty value on exception in Date.parse(), not NaN 
This is discarded anyway, so let's not confuse ourselves by returning a
NaN number value that's not going to be used.
 2021-02-13 19:58:51 +01:00
Linus Groh
db340ae7aa LibJS: Add missing exception check in Date() constructor 2021-02-13 19:58:51 +01:00
Andreas Kling
635a5eec75 LibJS: Remove a whole bunch of unnecessary #includes 2021-02-10 09:13:29 +01:00
Linus Groh
83c29bd8d7 LibJS: Don't assume match for each capture group in RegExp.prototype.exec() 
This was not implementing the following part of the spec correctly:

    27. For each integer i such that i ≥ 1 and i ≤ n, do
        a. Let captureI be ith element of r's captures List.
        b. If captureI is undefined, let capturedValue be undefined.

Expecting a capture group match to exist for each of the RegExp's
capture groups would assert in Vector's operator[] if that's not the
case, for example:

    /(foo)(bar)?/.exec("foo")

Append undefined instead.

Fixes #5256.
 2021-02-08 18:01:23 +01:00
Andreas Kling
3620a6e054 LibJS: Function must mark its home object 2021-02-07 10:57:07 +01:00
Andreas Kling
7df3b95126 LibJS: GlobalObject must mark builtin prototypes 
Failing to mark them leads to use-after-free since the GlobalObject
cached prototypes are used for new NumberObject, StringObject, etc.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30319
 2021-02-05 14:53:16 +01:00
Andreas Kling
16a0e7a66d LibJS: Improve correctness of rounding and bitwise operations 
Patch from Anonymous
 2021-02-05 09:38:45 +01:00
Andreas Kling
91db36064f LibJS: Fix obviously wrong \uXXXX serialization in JSONObject 2021-02-04 00:09:04 +01:00
Linus Groh
50957ec78e LibJS: Fix variable name coding style int{Part => _part} 
...and rename intpart_end to int_part_end for consistency.
 2021-02-02 16:52:55 +01:00
Linus Groh
c41d340983 LibJS: Use VM::names for Object::invoke() function names 2021-02-01 10:34:45 +01:00
Linus Groh
f9b1a9e60c LibJS: Let RegExp.string get RegExp.prototype from the global object directly 
We can't assume that RegExp on the global object is still the original
constructor, or an object at all.

This makes '--RegExp<</<</</,/</x/' work. :^)

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29740
 2021-01-29 20:50:22 +01:00
Andreas Kling
803a20fa86 LibJS: Call the correct base class in LexicalEnvironment::visit_edges() 
We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.

Found by Fuzzilli.

Fixes #5140.
 2021-01-28 10:15:24 +01:00
Andreas Kling
f6c6047e49 LibJS: Add overflow checks when creating TypedArray from ArrayBuffer 
Thanks to Iliad for finding this! :^)
 2021-01-27 07:57:07 +01:00
Andreas Kling
f3f2d77624 LibJS: Remove an unused TypedArray constructor 2021-01-25 23:23:33 +01:00
asynts
eea72b9b5c Everywhere: Hook up remaining debug macros to Debug.h. 2021-01-25 09:47:36 +01:00
asynts
acdcf59a33 Everywhere: Remove unnecessary debug comments. 
It would be tempting to uncomment these statements, but that won't work
with the new changes.

This was done with the following commands:

    find . \( -name '*.cpp' -o -name '*.h' -o -name '*.in' \) -not -path './Toolchain/*' -not -path './Build/*' -exec awk -i inplace '$0 !~ /\/\/#define/ { if (!toggle) { print; } else { toggle = !toggle } } ; $0 ~/\/\/#define/ { toggle = 1 }' {} \;

    find . \( -name '*.cpp' -o -name '*.h' -o -name '*.in' \) -not -path './Toolchain/*' -not -path './Build/*' -exec awk -i inplace '$0 !~ /\/\/ #define/ { if (!toggle) { print; } else { toggle = !toggle } } ; $0 ~/\/\/ #define/ { toggle = 1 }' {} \;
 2021-01-25 09:47:36 +01:00
Linus Groh
02cca92763 LibJS: Set length of TypedArray constructors to 3 
https://tc39.es/ecma262/#sec-typedarray-constructors

    Each TypedArray constructor [...] has a "length" property whose
    value is 3.
 2021-01-24 22:24:10 +01:00
Andreas Kling
7a71d4b887 LibJS: Add some assertions and tests for TypedArray limitations 2021-01-24 19:08:44 +01:00
Andreas Kling
0e3ee03e2b LibJS: Throw exception on too large TypedArray construction request 
We will now throw a RangeError in these cases:

* new TypedArray with >= INT32_MAX entries
* new TypedArray whose ArrayBuffer allocation size computation would
  cause a 32-bit unsigned overflow.
 2021-01-24 18:55:06 +01:00
Linus Groh
766f30f593 LibJS: Check if class extends value has a valid prototype 
If we have a function as class extends value, we still cannot assume
that it has a prototype property and that property has a function or
null as its value - blindly calling to_object() on it may fail.

Fixes #5075.
 2021-01-24 00:09:18 +01:00
Linus Groh
f253f68768 LibJS: Rename ErrorType::ProxyGetOwnDescriptor{Undef => Undefined}Return 
This seems like an unnecessary and uncommon abbreviation.
 2021-01-14 08:13:32 +01:00
Linus Groh
cab3049dcc LibJS: Rename ErrorType::ToObjectNullOr{Undef => Undefined} 
This seems like an unnecessary and uncommon abbreviation.
 2021-01-14 08:13:32 +01:00
Andreas Kling
13d7c09125 Libraries: Move to Userland/Libraries/ 2021-01-12 12:17:46 +01:00