Skip to content

Commit

Permalink
Fix free of NULL value in function ecma_typedarray_helper_dispatch_co…
Browse files Browse the repository at this point in the history
…nstruct

Currently, ecma_op_get_prototype_from_constructor may return NULL
and the function didn't raise that exception.
Also optimize multiple assignment of prototype_obj_p and
multiple access of JERRY_CONTEXT (current_new_target) out.

This fixes jerryscript-project#4463

JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo luoyonggang@gmail.com
  • Loading branch information
lygstate committed Jan 15, 2021
1 parent 91baa17 commit 8e216a2
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "ecma-builtins.h"
#include "ecma-gc.h"
#include "ecma-objects.h"
#include "ecma-exceptions.h"
#include "ecma-typedarray-object.h"
#include "ecma-function-object.h"
#include "jcontext.h"
Expand All @@ -40,11 +41,20 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
{
JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL);
ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);
ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);
ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target);
ecma_object_t *prototype_obj_p;

if (JERRY_CONTEXT (current_new_target))
if (current_new_target_p != NULL)
{
prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target), proto_id);
prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);
if (prototype_obj_p == NULL)
{
return ECMA_VALUE_ERROR;
}
}
else
{
prototype_obj_p = ecma_builtin_get (proto_id);
}

ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,
Expand All @@ -53,7 +63,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
ecma_typedarray_helper_get_shift_size (typedarray_id),
typedarray_id);

if (JERRY_CONTEXT (current_new_target))
if (current_new_target_p != NULL)
{
ecma_deref_object (prototype_obj_p);
}
Expand Down
50 changes: 50 additions & 0 deletions tests/jerry/es.next/regression-test-issue-4463.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

function Test262Error(message) {
this.message = message || "";
}

Test262Error.prototype.toString = function () {
return "Test262Error: " + this.message;
};

var newTarget = function () {}.bind(null);
Object.defineProperty(newTarget, "prototype", {
get() {
throw new Test262Error();
},
});

var typedArrayConstructors = [
Float64Array,
Float32Array,
Int32Array,
Int16Array,
Int8Array,
Uint32Array,
Uint16Array,
Uint8Array,
Uint8ClampedArray,
];

for (var type of typedArrayConstructors) {
try {
Reflect.construct(Uint8ClampedArray, [], newTarget);
} catch (error) {
if (!(error instanceof Test262Error)) {
throw "error must be instanceof Test262Error";
}
}
}
10 changes: 0 additions & 10 deletions tests/test262-esnext-excludelist.xml
Original file line number Diff line number Diff line change
Expand Up @@ -198,24 +198,14 @@
<test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/get-length-uses-internal-arraylength.js"><reason></reason></test>
<test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/return-result.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/defined-negative-length.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/toindex-length.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/no-args/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/object-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors-bigint/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/defined-negative-length.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/length-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/length-arg/toindex-length.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/no-args/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/object-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/object-arg/returns.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/ctors/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor-returns-other-instance.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor.js"><reason></reason></test>
<test id="built-ins/TypedArrayConstructors/from/BigInt/new-instance-using-custom-ctor.js"><reason></reason></test>
Expand Down

0 comments on commit 8e216a2

Please sign in to comment.