Ignore:
Timestamp:
Feb 22, 2016, 4:51:02 PM (10 years ago)
Author:
[email protected]
Message:

InternalFunction::createSubclassStructure doesn't take into account that get() might throw
https://bugs.webkit.org/show_bug.cgi?id=154548

Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.

InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw
an exception. Neither the function nor the call sites of the function took this into
account. This patch audits the call sites of the function to make it work in
the event that an exception is thrown.

  • runtime/BooleanConstructor.cpp:

(JSC::constructWithBooleanConstructor):

  • runtime/DateConstructor.cpp:

(JSC::constructDate):

  • runtime/ErrorConstructor.cpp:

(JSC::Interpreter::constructWithErrorConstructor):

  • runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

  • runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructure):

  • runtime/JSArrayBufferConstructor.cpp:

(JSC::constructArrayBuffer):

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayView):

  • runtime/JSGlobalObject.h:

(JSC::constructEmptyArray):
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):

  • runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):

  • runtime/MapConstructor.cpp:

(JSC::constructMap):

  • runtime/NativeErrorConstructor.cpp:

(JSC::Interpreter::constructWithNativeErrorConstructor):

  • runtime/NumberConstructor.cpp:

(JSC::constructWithNumberConstructor):

  • runtime/RegExpConstructor.cpp:

(JSC::getRegExpStructure):
(JSC::constructRegExp):
(JSC::constructWithRegExpConstructor):

  • runtime/SetConstructor.cpp:

(JSC::constructSet):

  • runtime/StringConstructor.cpp:

(JSC::constructWithStringConstructor):
(JSC::StringConstructor::getConstructData):

  • runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

  • runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

  • tests/stress/create-subclass-structure-might-throw.js: Added.

(assert):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

    r196959 r196966  
    9898            // Note, Reflect.construct might cause the profile to churn but we don't care.
    9999            JSObject* prototype = jsDynamicCast<JSObject*>(newTarget.get(exec, exec->propertyNames().prototype));
     100            ASSERT(!exec->hadException());
    100101            if (prototype)
    101102                return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
    102103        } else {
    103104            JSObject* prototype = jsDynamicCast<JSObject*>(newTarget.get(exec, exec->propertyNames().prototype));
     105            if (exec->hadException())
     106                return nullptr;
    104107            if (prototype) {
    105108                // This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
Note: See TracChangeset for help on using the changeset viewer.