Bug 1101561 - Fix %IteratorPrototype% initialization to be OOM-safe. r=jandem

2024-09-13 09:24:08 -07:00 · 2015-09-24 12:51:55 -07:00 · 2015-09-24 12:51:55 -07:00 · c7f8a9b4da
commit c7f8a9b4da
parent 59d65e151b
4 changed files with 34 additions and 32 deletions
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@ -1410,42 +1410,42 @@ GlobalObject::initStringIteratorProto(JSContext* cx, Handle<GlobalObject*> globa
    return true;
 }

-/* static */ bool
-GlobalObject::initIteratorClasses(JSContext* cx, Handle<GlobalObject*> global)
+JSObject*
+js::InitIteratorClass(JSContext* cx, HandleObject obj)
 {
+    Handle<GlobalObject*> global = obj.as<GlobalObject>();
+
+    if (global->getPrototype(JSProto_Iterator).isObject())
+        return &global->getPrototype(JSProto_Iterator).toObject();
+
    RootedObject iteratorProto(cx);
-    Value iteratorProtoVal = global->getPrototype(JSProto_Iterator);
-    if (iteratorProtoVal.isObject()) {
-        iteratorProto = &iteratorProtoVal.toObject();
-    } else {
-        iteratorProto = global->createBlankPrototype(cx, &PropertyIteratorObject::class_);
-        if (!iteratorProto)
-            return false;
+    iteratorProto = global->createBlankPrototype(cx, &PropertyIteratorObject::class_);
+    if (!iteratorProto)
+        return nullptr;

-        AutoIdVector blank(cx);
-        NativeIterator* ni = NativeIterator::allocateIterator(cx, 0, blank);
-        if (!ni)
-            return false;
-        ni->init(nullptr, nullptr, 0 /* flags */, 0, 0);
+    AutoIdVector blank(cx);
+    NativeIterator* ni = NativeIterator::allocateIterator(cx, 0, blank);
+    if (!ni)
+        return nullptr;
+    ni->init(nullptr, nullptr, 0 /* flags */, 0, 0);

-        iteratorProto->as<PropertyIteratorObject>().setNativeIterator(ni);
+    iteratorProto->as<PropertyIteratorObject>().setNativeIterator(ni);

-        Rooted<JSFunction*> ctor(cx);
-        ctor = global->createConstructor(cx, IteratorConstructor, cx->names().Iterator, 2);
-        if (!ctor)
-            return false;
-        if (!LinkConstructorAndPrototype(cx, ctor, iteratorProto))
-            return false;
-        if (!DefinePropertiesAndFunctions(cx, iteratorProto, nullptr, iterator_methods))
-            return false;
-        if (!GlobalObject::initBuiltinConstructor(cx, global, JSProto_Iterator,
-                                                  ctor, iteratorProto))
-        {
-            return false;
-        }
+    Rooted<JSFunction*> ctor(cx);
+    ctor = global->createConstructor(cx, IteratorConstructor, cx->names().Iterator, 2);
+    if (!ctor)
+        return nullptr;
+    if (!LinkConstructorAndPrototype(cx, ctor, iteratorProto))
+        return nullptr;
+    if (!DefinePropertiesAndFunctions(cx, iteratorProto, nullptr, iterator_methods))
+        return nullptr;
+    if (!GlobalObject::initBuiltinConstructor(cx, global, JSProto_Iterator,
+                                              ctor, iteratorProto))
+    {
+        return nullptr;
    }

-    return true;
+    return &global->getPrototype(JSProto_Iterator).toObject();
 }

 JSObject*
@ -1471,7 +1471,7 @@ JSObject*
 js::InitIteratorClasses(JSContext* cx, HandleObject obj)
 {
    Rooted<GlobalObject*> global(cx, &obj->as<GlobalObject>());
-    if (!GlobalObject::initIteratorClasses(cx, global))
+    if (!InitIteratorClass(cx, global))
        return nullptr;
    if (!GlobalObject::initGeneratorClasses(cx, global))
        return nullptr;
--- a/js/src/jsiter.h
+++ b/js/src/jsiter.h
@ -207,6 +207,9 @@ ThrowStopIteration(JSContext* cx);
 extern JSObject*
 CreateItrResultObject(JSContext* cx, HandleValue value, bool done);

+extern JSObject*
+InitIteratorClass(JSContext* cx, HandleObject obj);
+
 extern JSObject*
 InitStopIterationClass(JSContext* cx, HandleObject obj);

--- a/js/src/jsprototypes.h
+++ b/js/src/jsprototypes.h
@ -76,7 +76,7 @@
    real(SyntaxError,           16,     InitViaClassSpec,       ERROR_CLASP(JSEXN_SYNTAXERR)) \
    real(TypeError,             17,     InitViaClassSpec,       ERROR_CLASP(JSEXN_TYPEERR)) \
    real(URIError,              18,     InitViaClassSpec,       ERROR_CLASP(JSEXN_URIERR)) \
-    real(Iterator,              19,     InitIteratorClasses,    OCLASP(PropertyIterator)) \
+    real(Iterator,              19,     InitIteratorClass,      OCLASP(PropertyIterator)) \
    real(StopIteration,         20,     InitStopIterationClass, OCLASP(StopIteration)) \
    real(ArrayBuffer,           21,     InitArrayBufferClass,   &js::ArrayBufferObject::protoClass) \
    real(Int8Array,             22,     InitViaClassSpec,       TYPED_ARRAY_CLASP(Int8)) \
--- a/js/src/vm/GlobalObject.h
+++ b/js/src/vm/GlobalObject.h
@ -704,7 +704,6 @@ class GlobalObject : public NativeObject
    // Implemented in jsiter.cpp.
    static bool initArrayIteratorProto(JSContext* cx, Handle<GlobalObject*> global);
    static bool initStringIteratorProto(JSContext* cx, Handle<GlobalObject*> global);
-    static bool initIteratorClasses(JSContext* cx, Handle<GlobalObject*> global);

    // Implemented in vm/GeneratorObject.cpp.
    static bool initGeneratorClasses(JSContext* cx, Handle<GlobalObject*> global);