Harden executeConstruct against incorrect return types from host functions
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Aug 2013 17:49:52 +0000 (17:49 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Aug 2013 17:49:52 +0000 (17:49 +0000)
commitfe1e1f83f769d8eae9d8b9b4bc9e8d4005abf148
treeb63178b29b9fe018852ceb9e53d461b8ec6ba87f
parent48ad6de50b0aad356f1e6daaba371cb0e78620e0
Harden executeConstruct against incorrect return types from host functions
https://bugs.webkit.org/show_bug.cgi?id=119757

Reviewed by Mark Hahnenberg.

Add logic to guard against bogus return types.  There doesn't seem to be any
class in webkit that does this wrong, but the typed array stubs in debug JSC
do exhibit this bad behaviour.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeConstruct):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@154011 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/interpreter/Interpreter.cpp