Bug 280946

Summary:	[JSC] Assert `AsyncFromSyncIterator` before access to internal field
Product:	WebKit	Reporter:	Sosuke Suzuki <aosukeke>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Sosuke Suzuki

Reported 2024-10-06 08:39:40 PDT

The patch at https://commits.webkit.org/283311@main introduced internal fields to `AsyncFromSyncIterator`. This patch changes the functions in `AsyncFromSyncIteratorPrototype` to assert that the `this` object is an `AsyncFromSyncIterator` before accessing its internal fields. No runtime checks.

Attachments
Add attachment proposed patch, testcase, etc.

Sosuke Suzuki

Comment 1 2024-10-06 08:40:27 PDT

Pull request: https://github.com/WebKit/WebKit/pull/34745

EWS

Comment 2 2024-10-13 01:05:40 PDT

Committed 285086@main (fe316088fa6f): <https://commits.webkit.org/285086@main> Reviewed commits have been landed. Closing PR #34745 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2024-10-13 01:06:19 PDT

<rdar://problem/137827063>

Note You need to log in before you can comment on or make changes to this bug.