Changeset 154011 in webkit for trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Aug 13, 2013, 10:49:52 AM (12 years ago)

Author:

[email protected]

Message:

Harden executeConstruct against incorrect return types from host functions
​https://bugs.webkit.org/show_bug.cgi?id=119757

Reviewed by Mark Hahnenberg.

Add logic to guard against bogus return types. There doesn't seem to be any
class in webkit that does this wrong, but the typed array stubs in debug JSC
do exhibit this bad behaviour.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::executeConstruct):

File:

• trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1005 +1005 @@
             result = constructData.js.functionExecutable->generatedJITCodeForConstruct()->execute(&m_stack, newCallFrame, &vm);
 #endif // ENABLE(JIT)
-        } else
+        } else {
             result = JSValue::decode(constructData.native.function(newCallFrame));
+            if (!callFrame->hadException()) {
+                ASSERT_WITH_MESSAGE(result.isObject(), "Host constructor returned non object.");
+                if (!result.isObject())
+                    throwTypeError(newCallFrame);
+            }
+        }
     }