Ignore:
Timestamp:
Dec 27, 2011, 2:09:16 PM (13 years ago)
Author:
[email protected]
Message:

https://bugs.webkit.org/show_bug.cgi?id=75260
Null name for host function can result in dereference of uninitialize memory

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This is a recent regression in ToT, if the name passed to finishCreation of a host function is null,
we are currently skipping the putDirect, which leaves memory uninitialized. This patch reverts the
aspect of the change that introduced the issue. It might be better if functions that don't have a
name don't have this property at all, but that's change should be separate from fixing the bug.

  • runtime/JSFunction.cpp:

(JSC::JSFunction::finishCreation):

  • Always initialize the name property.

LayoutTests:

Added a test for String applies to the ThrowTypeError function object -
if this does not crash, it passes!

  • fast/js/basic-strict-mode-expected.txt:
  • fast/js/script-tests/basic-strict-mode.js:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

    r103243 r103728  
    9393    ASSERT(inherits(&s_info));
    9494    m_executable.set(exec->globalData(), this, executable);
    95     if (!name.isNull())
    96         putDirect(exec->globalData(), exec->globalData().propertyNames->name, jsString(exec, name.ustring()), DontDelete | ReadOnly | DontEnum);
     95    putDirect(exec->globalData(), exec->globalData().propertyNames->name, jsString(exec, name.isNull() ? "" : name.ustring()), DontDelete | ReadOnly | DontEnum);
    9796    putDirect(exec->globalData(), exec->propertyNames().length, jsNumber(length), DontDelete | ReadOnly | DontEnum);
    9897}
Note: See TracChangeset for help on using the changeset viewer.