Bug 664951 - Weaken CallJSNativeConstructor again (r=waldo)

2024-09-13 09:24:08 -07:00 · 2011-06-17 16:51:52 -07:00 · 2011-06-17 16:51:52 -07:00 · 2ebc3262be
commit 2ebc3262be
parent 3ca1688adf
3 changed files with 9 additions and 2 deletions
--- a/js/src/jit-test/tests/basic/testBug660734.js
+++ b/js/src/jit-test/tests/basic/testBug660734.js
@ -0,0 +1,4 @@
+var handler = { fix: function() { return []; } };
+var p = Proxy.createFunction(handler, function(){}, function(){});
+Proxy.fix(p);
+new p();
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@ -317,7 +317,10 @@ CallJSNativeConstructor(JSContext *cx, js::Native native, const CallArgs &args)
     * (new Object(Object)) returns the callee.
     */
    extern JSBool proxy_Construct(JSContext *, uintN, Value *);
-    JS_ASSERT_IF(native != proxy_Construct && native != js::CallOrConstructBoundFunction &&
+    extern JSBool callable_Construct(JSContext *, uintN, Value *);
+    JS_ASSERT_IF(native != proxy_Construct &&
+                 native != callable_Construct &&
+                 native != js::CallOrConstructBoundFunction &&
                 (!callee.isFunction() || callee.getFunctionPrivate()->u.n.clasp != &js_ObjectClass),
                 !args.rval().isPrimitive() && callee != args.rval().toObject());

--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@ -1332,7 +1332,7 @@ callable_Call(JSContext *cx, uintN argc, Value *vp)
    return ok;
 }

-static JSBool
+JSBool
 callable_Construct(JSContext *cx, uintN argc, Value *vp)
 {
    JSObject *thisobj = js_CreateThis(cx, &JS_CALLEE(cx, vp).toObject());