[webkit-changes] [WebKit/WebKit] 4d9671: [JSC] Set methods should throw TypeError when iter...

Sun, 15 Mar 2026 02:14:51 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4d96716c8dc8eb15bea579d6097eba53ec4d3ed4
      
https://github.com/WebKit/WebKit/commit/4d96716c8dc8eb15bea579d6097eba53ec4d3ed4
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-03-15 (Sun, 15 Mar 2026)

  Changed paths:
    A JSTests/stress/set-methods-iterator-next-non-object-result.js
    M Source/JavaScriptCore/runtime/SetPrototype.cpp

  Log Message:
  -----------
  [JSC] Set methods should throw TypeError when iterator next() returns 
non-object
https://bugs.webkit.org/show_bug.cgi?id=309961

Reviewed by Yusuke Suzuki.

Set.prototype.difference, symmetricDifference, isSupersetOf, and
isDisjointFrom have hand-written iterator loops that call
nextResult.get(vm.propertyNames->done) without checking whether nextResult
is an Object. When next() returns a primitive (e.g. 42), (42).done yields
undefined, which coerces to false, causing an infinite loop.

IteratorNext step 5 [1] requires throwing a TypeError when the result is
not an Object. Set.prototype.union and Set.prototype.intersection are
unaffected because they go through forEachInIteratorProtocol/iteratorStep,
which already perform this check in IteratorOperations.cpp.

This patch adds the missing isObject() check before reading .done in all
four methods, using the same error message as IteratorOperations.cpp for
consistency. The check is placed before .get(done), so that prototype
getters on primitives are not observably called. IteratorClose is not
invoked, since an abrupt completion from IteratorNext itself does not
trigger iterator close.

[1]: https://tc39.es/ecma262/#sec-iteratornext

Test: JSTests/stress/set-methods-iterator-next-non-object-result.js

* JSTests/stress/set-methods-iterator-next-non-object-result.js: Added.
(shouldThrowTypeError):
(makeSetLike):
(let.prim.of.primitives.3.difference):
(let.prim.of.primitives.3.isSupersetOf):
(3.union):
* Source/JavaScriptCore/runtime/SetPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/309286@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to