YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e483633f3ffa4c78ba43bea8eaf394906daf851
jerryscript/tests/jerry/es.next/regression-test-issue-4445.js
T
Péter Gál 5e483633f3 Fix prototype chain traversing (#4458) 
After the introduction of the Proxy builtin object there was
a possibility to traverse the prototype chain with an invalid object.
The prototype was freed before it's data/properties were queried resulting
in accessing invalid information.

By forcing the allocator to always do a gc (`--mem-stres-test=on` build option)
it was possible to trigger the issue without complicated tests.

New internal method:
* `ecma_op_object_get_prototype_of` which always returns the prototype
  of an object and the return value must be freed (if it is valid).

Updated prototype chain traversing in:
* `jerry_object_get_property_names`
* `ecma_builtin_object_prototype_lookup_getter_setter`
* `ecma_op_function_has_instance`
* `ecma_op_function_get_super_constructor`
* `ecma_op_object_is_prototype_of`
* `ecma_op_object_enumerate`

Removed method `ecma_proxy_object_prototype_to_cp`

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
2021-01-15 20:54:09 +01:00

61 lines
1.5 KiB
JavaScript
Raw Blame History

// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Keeping test as it is due to the fact this was triggered via a gc related issue
var a= ["", "\0", "\t", "\n", "\v", "\f", "\r", " ", "\u00a0", "\u2028", "\u2029", "\ufeff"]
Array.prototype[4] = 10;
function Test()
{
a.sort(function() {
var A = function() { };
A.prototype.x = 42;
var o = new Proxy({
"3": {
writable:false,
value:20
}
}, /*handler*/ {
getPrototypeOf: function (val, size, ch) {
var result = new String(val);
if (ch == null) {
ch = " ";
}
while (result.length < size) {
result = ch + result;
}
return result;
}
}
);
o.x = 43;
var result = "";
for (var p in o) {
result += o[p];
}
return a | 0;
});
throw new EvalError("error");
}
try {
Test();
assert(false);
} catch (ex) {
assert (ex instanceof EvalError);
}
Reference in New Issue View Git Blame Copy Permalink