mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
[INFER] Watch out computing 'new' value for functions given a non-function type via setting __proto__, bug 640993.
This commit is contained in:
parent
4750d53d19
commit
22ba7f2973
7
js/src/jit-test/tests/basic/bug640993.js
Normal file
7
js/src/jit-test/tests/basic/bug640993.js
Normal file
@ -0,0 +1,7 @@
|
||||
function f() {
|
||||
return f;
|
||||
}
|
||||
f.__proto__ = null;
|
||||
gc();
|
||||
f();
|
||||
new f();
|
@ -3646,15 +3646,17 @@ AnalyzeScriptNew(JSContext *cx, JSScript *script)
|
||||
* Compute the 'this' type when called with 'new'. We do not distinguish regular
|
||||
* from 'new' calls to the function.
|
||||
*/
|
||||
TypeFunction *funType = script->fun->getType()->asFunction();
|
||||
if (funType->unknownProperties || script->fun->isFunctionPrototype()) {
|
||||
|
||||
if (script->fun->getType()->unknownProperties || script->fun->isFunctionPrototype()) {
|
||||
script->thisTypes()->addType(cx, TYPE_UNKNOWN);
|
||||
} else {
|
||||
TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false);
|
||||
if (!prototypeTypes)
|
||||
return;
|
||||
prototypeTypes->addNewObject(cx, script, funType, script->thisTypes());
|
||||
return;
|
||||
}
|
||||
|
||||
TypeFunction *funType = script->fun->getType()->asFunction();
|
||||
TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false);
|
||||
if (!prototypeTypes)
|
||||
return;
|
||||
prototypeTypes->addNewObject(cx, script, funType, script->thisTypes());
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////////////////////////
|
||||
|
Loading…
Reference in New Issue
Block a user