Changeset 39534 in webkit for trunk/JavaScriptCore/parser/Nodes.h


Ignore:
Timestamp:
Jan 1, 2009, 12:22:40 AM (16 years ago)
Author:
[email protected]
Message:

[jsfunfuzz] Assertion + incorrect behaviour with dynamically created local variable in a catch block
<https://bugs.webkit.org/show_bug.cgi?id=23063>

Reviewed by Cameron Zwarich

Eval inside a catch block attempts to use the catch block's static scope in
an unsafe way by attempting to add new properties to the scope. This patch
fixes this issue simply by preventing the catch block from using a static
scope if it contains an eval.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/parser/Nodes.h

    r38823 r39534  
    20162016    class TryNode : public StatementNode {
    20172017    public:
    2018         TryNode(JSGlobalData* globalData, StatementNode* tryBlock, const Identifier& exceptionIdent, StatementNode* catchBlock, StatementNode* finallyBlock) JSC_FAST_CALL
     2018        TryNode(JSGlobalData* globalData, StatementNode* tryBlock, const Identifier& exceptionIdent, bool catchHasEval, StatementNode* catchBlock, StatementNode* finallyBlock) JSC_FAST_CALL
    20192019            : StatementNode(globalData)
    20202020            , m_tryBlock(tryBlock)
     
    20222022            , m_catchBlock(catchBlock)
    20232023            , m_finallyBlock(finallyBlock)
     2024            , m_catchHasEval(catchHasEval)
    20242025        {
    20252026        }
     
    20352036        RefPtr<StatementNode> m_catchBlock;
    20362037        RefPtr<StatementNode> m_finallyBlock;
     2038        bool m_catchHasEval;
    20372039    };
    20382040
Note: See TracChangeset for help on using the changeset viewer.