LibJS: Introduce NativeJavaScriptBackedFunction

This hosts the ability to compile and run JavaScript to implement
native functions. This is particularly useful for any native function
that is not a normal function, for example async functions such as
Array.fromAsync, which require yielding.

These functions are not allowed to observe anything from outside their
environment. Any global identifiers will instead be assumed to be a
reference to an abstract operation or a constant. The generator will
inject the appropriate bytecode if the name of the global identifier
matches a known name. Anything else will cause a code generation error.

Author: Lubrsi

Libraries/LibJS/Bytecode/ASTCodegen.cpp

@@ -474,8 +474,10 @@ Bytecode::CodeGenerationErrorOr<Optional<ScopedOperand>> Identifier::generate_by
         return local;
     }
 
-    if (is_global() && m_string == "undefined"sv) {
-        return generator.add_constant(js_undefined());
+    if (is_global()) {
+        auto maybe_constant = TRY(generator.maybe_generate_builtin_constant(*this));
+        if (maybe_constant.has_value())
+            return maybe_constant.release_value();
     }
 
     auto dst = choose_dst(generator, preferred_dst);
@@ -1718,6 +1720,7 @@ Bytecode::CodeGenerationErrorOr<Optional<ScopedOperand>> CallExpression::generat
 
     Optional<ScopedOperand> original_callee;
     auto original_this_value = generator.add_constant(js_undefined());
+    auto dst = choose_dst(generator, preferred_dst);
     Bytecode::Op::CallType call_type = Bytecode::Op::CallType::Call;
 
     if (is<NewExpression>(this)) {
@@ -1741,6 +1744,11 @@ Bytecode::CodeGenerationErrorOr<Optional<ScopedOperand>> CallExpression::generat
         // NOTE: If the identifier refers to a known "local" or "global", we know it can't be
         //       a `with` binding, so we can skip this.
         auto& identifier = static_cast<Identifier const&>(*m_callee);
+        if (generator.builtin_abstract_operations_enabled() && identifier.is_global()) {
+            TRY(generator.generate_builtin_abstract_operation(identifier, arguments(), dst));
+            return dst;
+        }
+
         if (identifier.string() == "eval"sv) {
             call_type = Bytecode::Op::CallType::DirectEval;
         }
@@ -1776,7 +1784,6 @@ Bytecode::CodeGenerationErrorOr<Optional<ScopedOperand>> CallExpression::generat
         expression_string_index = generator.intern_string(expression_string.release_value());
 
     bool has_spread = any_of(arguments(), [](auto& argument) { return argument.is_spread; });
-    auto dst = choose_dst(generator, preferred_dst);
 
     if (has_spread) {
         auto arguments = TRY(arguments_to_array_for_call(generator, this->arguments())).value();

Libraries/LibJS/Bytecode/BuiltinAbstractOperationsEnabled.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+namespace JS::Bytecode {
+
+enum class BuiltinAbstractOperationsEnabled : bool {
+    No,
+    Yes,
+};
+
+}

Libraries/LibJS/Bytecode/Generator.cpp

@@ -13,11 +13,12 @@
 #include <LibJS/Bytecode/Op.h>
 #include <LibJS/Bytecode/Register.h>
 #include <LibJS/Runtime/ECMAScriptFunctionObject.h>
+#include <LibJS/Runtime/NativeJavaScriptBackedFunction.h>
 #include <LibJS/Runtime/VM.h>
 
 namespace JS::Bytecode {
 
-Generator::Generator(VM& vm, GC::Ptr<SharedFunctionInstanceData const> shared_function_instance_data, MustPropagateCompletion must_propagate_completion)
+Generator::Generator(VM& vm, GC::Ptr<SharedFunctionInstanceData const> shared_function_instance_data, MustPropagateCompletion must_propagate_completion, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled)
     : m_vm(vm)
     , m_string_table(make<StringTable>())
     , m_identifier_table(make<IdentifierTable>())
@@ -26,6 +27,7 @@ Generator::Generator(VM& vm, GC::Ptr<SharedFunctionInstanceData const> shared_fu
     , m_accumulator(*this, Operand(Register::accumulator()))
     , m_this_value(*this, Operand(Register::this_value()))
     , m_must_propagate_completion(must_propagate_completion == MustPropagateCompletion::Yes)
+    , m_builtin_abstract_operations_enabled(builtin_abstract_operations_enabled == BuiltinAbstractOperationsEnabled::Yes)
     , m_shared_function_instance_data(shared_function_instance_data)
 {
 }
@@ -215,9 +217,9 @@ CodeGenerationErrorOr<void> Generator::emit_function_declaration_instantiation(S
     return {};
 }
 
-CodeGenerationErrorOr<GC::Ref<Executable>> Generator::compile(VM& vm, ASTNode const& node, FunctionKind enclosing_function_kind, GC::Ptr<SharedFunctionInstanceData const> shared_function_instance_data, MustPropagateCompletion must_propagate_completion, Vector<LocalVariable> local_variable_names)
+CodeGenerationErrorOr<GC::Ref<Executable>> Generator::compile(VM& vm, ASTNode const& node, FunctionKind enclosing_function_kind, GC::Ptr<SharedFunctionInstanceData const> shared_function_instance_data, MustPropagateCompletion must_propagate_completion, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled, Vector<LocalVariable> local_variable_names)
 {
-    Generator generator(vm, shared_function_instance_data, must_propagate_completion);
+    Generator generator(vm, shared_function_instance_data, must_propagate_completion, builtin_abstract_operations_enabled);
 
     if (is<Program>(node))
         generator.m_strict = static_cast<Program const&>(node).is_strict_mode() ? Strict::Yes : Strict::No;
@@ -498,12 +500,12 @@ CodeGenerationErrorOr<GC::Ref<Executable>> Generator::generate_from_ast_node(VM&
     Vector<LocalVariable> local_variable_names;
     if (is<ScopeNode>(node))
         local_variable_names = static_cast<ScopeNode const&>(node).local_variables_names();
-    return compile(vm, node, enclosing_function_kind, {}, MustPropagateCompletion::Yes, move(local_variable_names));
+    return compile(vm, node, enclosing_function_kind, {}, MustPropagateCompletion::Yes, BuiltinAbstractOperationsEnabled::No, move(local_variable_names));
 }
 
-CodeGenerationErrorOr<GC::Ref<Executable>> Generator::generate_from_function(VM& vm, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data)
+CodeGenerationErrorOr<GC::Ref<Executable>> Generator::generate_from_function(VM& vm, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled)
 {
-    return compile(vm, *shared_function_instance_data->m_ecmascript_code, shared_function_instance_data->m_kind, shared_function_instance_data, MustPropagateCompletion::No, shared_function_instance_data->m_local_variables_names);
+    return compile(vm, *shared_function_instance_data->m_ecmascript_code, shared_function_instance_data->m_kind, shared_function_instance_data, MustPropagateCompletion::No, builtin_abstract_operations_enabled, shared_function_instance_data->m_local_variables_names);
 }
 
 void Generator::grow(size_t additional_size)
@@ -1470,4 +1472,43 @@ ScopedOperand Generator::add_constant(Value value)
     return append_new_constant();
 }
 
+CodeGenerationErrorOr<void> Generator::generate_builtin_abstract_operation(Identifier const& builtin_identifier, ReadonlySpan<CallExpression::Argument> arguments, ScopedOperand const&)
+{
+    VERIFY(m_builtin_abstract_operations_enabled);
+    for (auto const& argument : arguments) {
+        if (argument.is_spread) {
+            return CodeGenerationError {
+                argument.value.ptr(),
+                "Spread arguments not allowed for builtin abstract operations"sv,
+            };
+        }
+    }
+
+    auto const& operation_name = builtin_identifier.string();
+
+    dbgln("Unknown builtin abstract operation: '{}'", operation_name);
+    return CodeGenerationError {
+        &builtin_identifier,
+        "Unknown builtin abstract operation"sv,
+    };
+}
+
+CodeGenerationErrorOr<Optional<ScopedOperand>> Generator::maybe_generate_builtin_constant(Identifier const& builtin_identifier)
+{
+    auto const& constant_name = builtin_identifier.string();
+
+    if (constant_name == "undefined"sv) {
+        return add_constant(js_undefined());
+    }
+
+    if (!m_builtin_abstract_operations_enabled)
+        return OptionalNone {};
+
+    dbgln("Unknown builtin constant: '{}'", constant_name);
+    return CodeGenerationError {
+        &builtin_identifier,
+        "Unknown builtin constant"sv,
+    };
+}
+
 }

Libraries/LibJS/Bytecode/Generator.h

@@ -10,6 +10,7 @@
 #include <AK/SinglyLinkedList.h>
 #include <LibJS/AST.h>
 #include <LibJS/Bytecode/BasicBlock.h>
+#include <LibJS/Bytecode/BuiltinAbstractOperationsEnabled.h>
 #include <LibJS/Bytecode/CodeGenerationError.h>
 #include <LibJS/Bytecode/Executable.h>
 #include <LibJS/Bytecode/IdentifierTable.h>
@@ -40,7 +41,7 @@ class Generator {
     };
 
     static CodeGenerationErrorOr<GC::Ref<Executable>> generate_from_ast_node(VM&, ASTNode const&, FunctionKind = FunctionKind::Normal);
-    static CodeGenerationErrorOr<GC::Ref<Executable>> generate_from_function(VM&, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data);
+    static CodeGenerationErrorOr<GC::Ref<Executable>> generate_from_function(VM&, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled = BuiltinAbstractOperationsEnabled::No);
 
     CodeGenerationErrorOr<void> emit_function_declaration_instantiation(SharedFunctionInstanceData const& shared_function_instance_data);
 
@@ -361,10 +362,15 @@ class Generator {
 
     [[nodiscard]] bool must_propagate_completion() const { return m_must_propagate_completion; }
 
+    [[nodiscard]] bool builtin_abstract_operations_enabled() const { return m_builtin_abstract_operations_enabled; }
+
+    CodeGenerationErrorOr<void> generate_builtin_abstract_operation(Identifier const& builtin_identifier, ReadonlySpan<CallExpression::Argument> arguments, ScopedOperand const& dst);
+    CodeGenerationErrorOr<Optional<ScopedOperand>> maybe_generate_builtin_constant(Identifier const& builtin_identifier);
+
 private:
     VM& m_vm;
 
-    static CodeGenerationErrorOr<GC::Ref<Executable>> compile(VM&, ASTNode const&, FunctionKind, GC::Ptr<SharedFunctionInstanceData const>, MustPropagateCompletion, Vector<LocalVariable> local_variable_names);
+    static CodeGenerationErrorOr<GC::Ref<Executable>> compile(VM&, ASTNode const&, FunctionKind, GC::Ptr<SharedFunctionInstanceData const>, MustPropagateCompletion, BuiltinAbstractOperationsEnabled, Vector<LocalVariable> local_variable_names);
 
     enum class JumpType {
         Continue,
@@ -373,7 +379,7 @@ class Generator {
     void generate_scoped_jump(JumpType);
     void generate_labelled_jump(JumpType, FlyString const& label);
 
-    Generator(VM&, GC::Ptr<SharedFunctionInstanceData const>, MustPropagateCompletion);
+    Generator(VM&, GC::Ptr<SharedFunctionInstanceData const>, MustPropagateCompletion, BuiltinAbstractOperationsEnabled);
     ~Generator() = default;
 
     void grow(size_t);
@@ -426,6 +432,7 @@ class Generator {
 
     bool m_finished { false };
     bool m_must_propagate_completion { true };
+    bool m_builtin_abstract_operations_enabled { false };
 
     GC::Ptr<SharedFunctionInstanceData const> m_shared_function_instance_data;
 

Libraries/LibJS/Bytecode/Interpreter.cpp

@@ -739,11 +739,11 @@ ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM& vm, ASTNode const&
     return bytecode_executable;
 }
 
-ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM& vm, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data)
+ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM& vm, GC::Ref<SharedFunctionInstanceData const> shared_function_instance_data, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled)
 {
     auto const& name = shared_function_instance_data->m_name;
 
-    auto executable_result = Bytecode::Generator::generate_from_function(vm, shared_function_instance_data);
+    auto executable_result = Bytecode::Generator::generate_from_function(vm, shared_function_instance_data, builtin_abstract_operations_enabled);
     if (executable_result.is_error())
         return vm.throw_completion<InternalError>(ErrorType::NotImplemented, TRY_OR_THROW_OOM(vm, executable_result.error().to_string()));
 
@@ -1290,7 +1290,7 @@ inline Value new_function(Interpreter& interpreter, FunctionNode const& function
 
     if (home_object.has_value()) {
         auto home_object_value = interpreter.get(home_object.value());
-        static_cast<ECMAScriptFunctionObject&>(value.as_function()).set_home_object(&home_object_value.as_object());
+        as<ECMAScriptFunctionObject>(value.as_function()).set_home_object(&home_object_value.as_object());
     }
 
     return value;
@@ -2896,7 +2896,7 @@ ThrowCompletionOr<void> SuperCallWithArgumentArray::execute_impl(Bytecode::Inter
     TRY(this_environment.bind_this_value(vm, result));
 
     // 9. Let F be thisER.[[FunctionObject]].
-    auto& f = this_environment.function_object();
+    auto& f = as<ECMAScriptFunctionObject>(this_environment.function_object());
 
     // 10. Assert: F is an ECMAScript function object.
     // NOTE: This is implied by the strong C++ type.

Libraries/LibJS/Bytecode/Interpreter.h

@@ -6,6 +6,7 @@
 
 #pragma once
 
+#include <LibJS/Bytecode/BuiltinAbstractOperationsEnabled.h>
 #include <LibJS/Bytecode/Executable.h>
 #include <LibJS/Bytecode/Label.h>
 #include <LibJS/Bytecode/Register.h>
@@ -102,6 +103,6 @@ class JS_API Interpreter {
 JS_API extern bool g_dump_bytecode;
 
 ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM&, ASTNode const&, JS::FunctionKind kind, Utf16FlyString const& name);
-ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM&, GC::Ref<SharedFunctionInstanceData const>);
+ThrowCompletionOr<GC::Ref<Bytecode::Executable>> compile(VM&, GC::Ref<SharedFunctionInstanceData const>, BuiltinAbstractOperationsEnabled builtin_abstract_operations_enabled);
 
 }

Libraries/LibJS/CMakeLists.txt

@@ -158,6 +158,7 @@ set(SOURCES
     Runtime/ModuleEnvironment.cpp
     Runtime/ModuleNamespaceObject.cpp
     Runtime/NativeFunction.cpp
+    Runtime/NativeJavaScriptBackedFunction.cpp
     Runtime/NumberConstructor.cpp
     Runtime/NumberObject.cpp
     Runtime/NumberPrototype.cpp

Libraries/LibJS/Forward.h

@@ -201,6 +201,7 @@ class ModuleEnvironment;
 class Module;
 struct ModuleRequest;
 class NativeFunction;
+class NativeJavaScriptBackedFunction;
 class ObjectEnvironment;
 class Parser;
 struct ParserError;

Libraries/LibJS/Runtime/AbstractOperations.cpp

@@ -25,6 +25,7 @@
 #include <LibJS/Runtime/FunctionObject.h>
 #include <LibJS/Runtime/GlobalEnvironment.h>
 #include <LibJS/Runtime/GlobalObject.h>
+#include <LibJS/Runtime/NativeJavaScriptBackedFunction.h>
 #include <LibJS/Runtime/Object.h>
 #include <LibJS/Runtime/ObjectEnvironment.h>
 #include <LibJS/Runtime/PromiseCapability.h>
@@ -458,6 +459,36 @@ GC::Ref<FunctionEnvironment> new_function_environment(ECMAScriptFunctionObject&
     return env;
 }
 
+// 9.1.2.4 NewFunctionEnvironment ( F, newTarget ), https://tc39.es/ecma262/#sec-newfunctionenvironment
+// 4.1.2.2 NewFunctionEnvironment ( F, newTarget ), https://tc39.es/proposal-explicit-resource-management/#sec-newfunctionenvironment
+GC::Ref<FunctionEnvironment> new_function_environment(NativeJavaScriptBackedFunction& function, Object* new_target)
+{
+    auto& heap = function.heap();
+
+    // 1. Let env be a new function Environment Record containing no bindings.
+    auto env = heap.allocate<FunctionEnvironment>(nullptr);
+
+    // 2. Set env.[[FunctionObject]] to F.
+    env->set_function_object(function);
+
+    // 3. If F.[[ThisMode]] is lexical, set env.[[ThisBindingStatus]] to lexical.
+    if (function.this_mode() == ThisMode::Lexical)
+        env->set_this_binding_status(FunctionEnvironment::ThisBindingStatus::Lexical);
+    // 4. Else, set env.[[ThisBindingStatus]] to uninitialized.
+    else
+        env->set_this_binding_status(FunctionEnvironment::ThisBindingStatus::Uninitialized);
+
+    // 5. Set env.[[NewTarget]] to newTarget.
+    env->set_new_target(new_target ?: js_undefined());
+
+    // 6. Set env.[[OuterEnv]] to F.[[Environment]].
+    // 7. Set env.[[DisposeCapability]] to NewDisposeCapability().
+    // NOTE: Done in step 1 via the FunctionEnvironment constructor.
+
+    // 8. Return env.
+    return env;
+}
+
 // 9.2.1.1 NewPrivateEnvironment ( outerPrivEnv ), https://tc39.es/ecma262/#sec-newprivateenvironment
 GC::Ref<PrivateEnvironment> new_private_environment(VM& vm, PrivateEnvironment* outer)
 {
@@ -586,7 +617,7 @@ ThrowCompletionOr<Value> perform_eval(VM& vm, Value x, CallerMode strict_caller,
             auto& this_function_environment_record = static_cast<FunctionEnvironment&>(*this_environment_record);
 
             // i. Let F be thisEnvRec.[[FunctionObject]].
-            auto& function = this_function_environment_record.function_object();
+            auto& function = as<ECMAScriptFunctionObject>(this_function_environment_record.function_object());
 
             // ii. Set inFunction to true.
             in_function = true;

Libraries/LibJS/Runtime/AbstractOperations.h

@@ -28,6 +28,7 @@ namespace JS {
 GC::Ref<DeclarativeEnvironment> new_declarative_environment(Environment&);
 JS_API GC::Ref<ObjectEnvironment> new_object_environment(Object&, bool is_with_environment, Environment*);
 GC::Ref<FunctionEnvironment> new_function_environment(ECMAScriptFunctionObject&, Object* new_target);
+GC::Ref<FunctionEnvironment> new_function_environment(NativeJavaScriptBackedFunction&, Object* new_target);
 GC::Ref<PrivateEnvironment> new_private_environment(VM& vm, PrivateEnvironment* outer);
 GC::Ref<Environment> get_this_environment(VM&);
 JS_API bool can_be_held_weakly(Value);