wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

[INFER] Watch out computing 'new' value for functions given a non-function type via setting __proto__, bug 640993.

Browse Source
This commit is contained in:
Brian Hackett 2011-03-13 21:29:30 -07:00
parent 4750d53d19
commit 22ba7f2973
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
js/src/jit-test/tests/basic/bug640993.js Normal file
View File

@ -0,0 +1,7 @@
function f() {
return f;
}
f.__proto__ = null;
gc();
f();
new f();

16
js/src/jsinfer.cpp
View File

@ -3646,15 +3646,17 @@ AnalyzeScriptNew(JSContext *cx, JSScript *script)
* Compute the 'this' type when called with 'new'. We do not distinguish regular
* from 'new' calls to the function.
*/
TypeFunction *funType = script->fun->getType()->asFunction();
if (funType->unknownProperties || script->fun->isFunctionPrototype()) {
if (script->fun->getType()->unknownProperties || script->fun->isFunctionPrototype()) {
script->thisTypes()->addType(cx, TYPE_UNKNOWN);
} else {
TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false);
if (!prototypeTypes)
return;
prototypeTypes->addNewObject(cx, script, funType, script->thisTypes());
return;
}
TypeFunction *funType = script->fun->getType()->asFunction();
TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false);
if (!prototypeTypes)
return;
prototypeTypes->addNewObject(cx, script, funType, script->thisTypes());
}
/////////////////////////////////////////////////////////////////////