Skip to content

Commit

Permalink
Fix free of NULL value in function ecma_typedarray_helper_dispatch_co…
Browse files Browse the repository at this point in the history
…nstruct

Currently, ecma_op_get_prototype_from_constructor may return NULL
and the function didn't raise that exception.
Also optimize multiple assignment of prototype_obj_p and
multiple access of JERRY_CONTEXT (current_new_target) out.

This fixes jerryscript-project#4463

JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo luoyonggang@gmail.com
  • Loading branch information
lygstate committed Jan 15, 2021
1 parent 91baa17 commit 6593ccc
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "ecma-builtins.h"
#include "ecma-gc.h"
#include "ecma-objects.h"
#include "ecma-exceptions.h"
#include "ecma-typedarray-object.h"
#include "ecma-function-object.h"
#include "jcontext.h"
Expand All @@ -40,11 +41,25 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
{
JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL);
ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);
ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);
ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target);
ecma_object_t *prototype_obj_p;

if (JERRY_CONTEXT (current_new_target))
if (current_new_target_p != NULL)
{
prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target), proto_id);
prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);
if (jcontext_has_pending_exception ())
{
return ECMA_VALUE_ERROR;
}
}
else
{
prototype_obj_p = ecma_builtin_get (proto_id);
}

if (prototype_obj_p == NULL)
{
return ecma_raise_type_error (ECMA_ERR_MSG ("TypedArray constructor should have prototype"));
}

ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,
Expand All @@ -53,7 +68,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
ecma_typedarray_helper_get_shift_size (typedarray_id),
typedarray_id);

if (JERRY_CONTEXT (current_new_target))
if (current_new_target_p != NULL)
{
ecma_deref_object (prototype_obj_p);
}
Expand Down
50 changes: 50 additions & 0 deletions tests/jerry/es.next/regression-test-issue-4463.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

function Test262Error(message) {
this.message = message || "";
}

Test262Error.prototype.toString = function () {
return "Test262Error: " + this.message;
};

var newTarget = function () {}.bind(null);
Object.defineProperty(newTarget, "prototype", {
get() {
throw new Test262Error();
},
});

var typedArrayConstructors = [
Float64Array,
Float32Array,
Int32Array,
Int16Array,
Int8Array,
Uint32Array,
Uint16Array,
Uint8Array,
Uint8ClampedArray,
];

for (var type of typedArrayConstructors) {
try {
Reflect.construct(Uint8ClampedArray, [], newTarget);
} catch (error) {
if (!(error instanceof Test262Error)) {
throw "error must be instanceof Test262Error";
}
}
}

0 comments on commit 6593ccc

Please sign in to comment.