After the introduction of the Proxy builtin object there was
a possibility to traverse the prototype chain with an invalid object.
The prototype was freed before it's data/properties were queried resulting
in accessing invalid information.
By forcing the allocator to always do a gc (`--mem-stres-test=on` build option)
it was possible to trigger the issue without complicated tests.
New internal method:
* `ecma_op_object_get_prototype_of` which always returns the prototype
of an object and the return value must be freed (if it is valid).
Updated prototype chain traversing in:
* `jerry_object_get_property_names`
* `ecma_builtin_object_prototype_lookup_getter_setter`
* `ecma_op_function_has_instance`
* `ecma_op_function_get_super_constructor`
* `ecma_op_object_is_prototype_of`
* `ecma_op_object_enumerate`
Removed method `ecma_proxy_object_prototype_to_cp`
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
In Proxy.[[Get]] if the target.[[GetOwnPropertyDescriptor]] fails the
trap result should be freed.
Fixes: #4466
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
'this' is a restricted keyword in C++ so it's a good practice to avoid it's usage as an identifier.
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
When accessing an error's type there is no need to check the Proxy
prototype (as there is none).
Fixes: #4440
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
ecma_op_function_get_function_realm now can process proxy and bound functions.
JerryScript-DCO-1.0-Signed-off-by: bence gabor kis kisbg@inf.u-szeged.hu
When shifting a negative BigInt value if the
shift count is very "big" the result should be -1.
eg.:
```
(-2n >> (2n*32n)) === -1n
```
Note: the `-2n >> (2n*31n)` already returned `-1n` prior this change.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
Proxy flags (IsCallable, IsConstructor) can't be stored on the
property list compressed pointer. As adding a Proxy to a WeakSet
would add a property to the Proxy object causing failures down the line.
The prototype internal "slot" can be used to store there flags as
it is not used in case of Proxies (as per standard).
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
- Rework symbols to have the same value across realms
- Support realms for native functions
- Support test262
- Use new.target realms for constructing intrinsics
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
- Type for realm objects is introduced (ecma_global_object_t)
- Realm reference is added to built-in objects and ECMAScript functions
- Resolving built-ins, global environments, and scopes require realm object
- Unnecessary global object accesses are removed from the code
Missing: external functions and static snapshot functions have no realm reference
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
The handling of Proxy.[[Get]] was not fully correctly in the case when the
Proxy was revoked during the execution of the handler.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
- All built-ins are native functions now
- Native handlers have a built-in id: ECMA_BUILTIN_ID_HANDLER
- Built-in routine identifiers start from 1
- Built-in routines have an own flag set
- Name property of routines is resolved dynamically
- Style fixes
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
The previous `ecma_is_constructor` implementation did not checked if the
target function was an arrow or generator function. This resulted in
an incorrect execution for these function types.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
The `IsCallable(target)` and `IsConstructor(target)` info
can't be stored in the target/handler values.
If the input for the ProxyCreate was a revocable Proxy the original target's
callable/constructor information must be retained even after the
Proxy was revoked.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
With a disabled JERRY_BUILTIN_PROXY option the build fails becouse
of missing guards.
The run-test buildoption_test is also extended with this.
JerryScript-DCO-1.0-Signed-off-by: Adam Kallai kadam@inf.u-szeged.hu
- Store arguments in a register when possible
- Create separate arguments object for function argument initializer when necessary
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
- External ArrayBuffer construction with 0 length should be equivalent to `new ArrayBuffer(0)`
- Internally allocated ArrayBuffers should be detachable
- Externally allocated ArrayBuffers free callback should be called when underlying buffer is detached
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
After ES5.1 if the delete returns false a TypeError should be thrown
in strict mode.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
Member variables of the object must be initialized before setting the
required flags, otherwise the uninitalized values can cause problems
during garbage collection.
JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai daniel.batyai@h-lab.eu
In the newer ecma262 standard (post ES11) the ProxyCreate was
changed and the revoked Proxy handler/target is not checked.
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
Péter Gál