Fix free of NULL value in function ecma_typedarray_helper_dispatch_construct (#4473)

Currently, ecma_op_get_prototype_from_constructor may return NULL
and the function didn't raise that exception.
Also optimize multiple assignment of prototype_obj_p and
multiple access of JERRY_CONTEXT (current_new_target) out.

This fixes https://github.com/jerryscript-project/jerryscript/issues/4463

JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo luoyonggang@gmail.com

jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c

@@ -40,11 +40,20 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
 {
   JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL);
   ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);
-  ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);
+  ecma_object_t *prototype_obj_p = NULL;
+  ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target_p);
 
-  if (JERRY_CONTEXT (current_new_target_p))
+  if (current_new_target_p != NULL)
   {
-    prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target_p), proto_id);
+    prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);
+    if (prototype_obj_p == NULL)
+    {
+      return ECMA_VALUE_ERROR;
+    }
+  }
+  else
+  {
+    prototype_obj_p = ecma_builtin_get (proto_id);
   }
 
   ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,
@@ -53,7 +62,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
                                                 ecma_typedarray_helper_get_shift_size (typedarray_id),
                                                 typedarray_id);
 
-  if (JERRY_CONTEXT (current_new_target_p))
+  if (current_new_target_p != NULL)
   {
     ecma_deref_object (prototype_obj_p);
   }

tests/jerry/es.next/regression-test-issue-4463.js

@@ -0,0 +1,50 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+function Test262Error(message) {
+  this.message = message || "";
+}
+
+Test262Error.prototype.toString = function () {
+  return "Test262Error: " + this.message;
+};
+
+var newTarget = function () {}.bind(null);
+Object.defineProperty(newTarget, "prototype", {
+  get() {
+    throw new Test262Error();
+  },
+});
+
+var typedArrayConstructors = [
+  Float64Array,
+  Float32Array,
+  Int32Array,
+  Int16Array,
+  Int8Array,
+  Uint32Array,
+  Uint16Array,
+  Uint8Array,
+  Uint8ClampedArray,
+];
+
+for (var type of typedArrayConstructors) {
+  try {
+    Reflect.construct(Uint8ClampedArray, [], newTarget);
+  } catch (error) {
+    if (!(error instanceof Test262Error)) {
+      throw "error must be instanceof Test262Error";
+    }
+  }
+}

tests/test262-esnext-excludelist.xml

@@ -198,24 +198,14 @@
   <test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/get-length-uses-internal-arraylength.js"><reason></reason></test>
   <test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/return-result.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/defined-negative-length.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/toindex-length.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/no-args/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/object-arg/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/defined-negative-length.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/length-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/length-arg/toindex-length.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/no-args/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/object-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/object-arg/returns.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor-returns-other-instance.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/new-instance-using-custom-ctor.js"><reason></reason></test>