Missing exception check in JSObject::hasInstance
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jul 2017 17:03:45 +0000 (17:03 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jul 2017 17:03:45 +0000 (17:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=174455
<rdar://problem/31384608>

Reviewed by Mark Lam.

JSTests:

* stress/has-instance-exception-check.js: Added.
(assert):
(let.getter.Object.getOwnPropertyDescriptor.get foo):

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::hasInstance):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@219451 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/has-instance-exception-check.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp

index 9bfd2d4..cb75fff 100644 (file)
@@ -1,3 +1,15 @@
+2017-07-13  Saam Barati  <sbarati@apple.com>
+
+        Missing exception check in JSObject::hasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=174455
+        <rdar://problem/31384608>
+
+        Reviewed by Mark Lam.
+
+        * stress/has-instance-exception-check.js: Added.
+        (assert):
+        (let.getter.Object.getOwnPropertyDescriptor.get foo):
+
 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
 
         [ESnext] Implement Object Spread
diff --git a/JSTests/stress/has-instance-exception-check.js b/JSTests/stress/has-instance-exception-check.js
new file mode 100644 (file)
index 0000000..e4ffdc6
--- /dev/null
@@ -0,0 +1,17 @@
+function assert(b) {
+    if (!b)
+        throw new Error("Bad assertion");
+}
+
+let getter = Object.getOwnPropertyDescriptor({get foo(){}}, "foo").get;
+Object.defineProperty(getter, Symbol.hasInstance, {value:undefined});
+let y = {};
+Object.defineProperty(getter, "prototype", {get: Uint8Array});
+let error = null;
+try {
+    y instanceof getter;
+} catch(e) {
+    error = e;
+}
+assert(!!error);
+assert(error.toString() === "TypeError: calling Uint8Array constructor without new is invalid");
index 9f67091..dd4cef6 100644 (file)
@@ -1,3 +1,14 @@
+2017-07-13  Saam Barati  <sbarati@apple.com>
+
+        Missing exception check in JSObject::hasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=174455
+        <rdar://problem/31384608>
+
+        Reviewed by Mark Lam.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasInstance):
+
 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
 
         [ESnext] Implement Object Spread
index 5eb8543..5148259 100644 (file)
@@ -2042,8 +2042,11 @@ bool JSObject::hasInstance(ExecState* exec, JSValue value, JSValue hasInstanceVa
     }
 
     TypeInfo info = structure(vm)->typeInfo();
-    if (info.implementsDefaultHasInstance())
-        return defaultHasInstance(exec, value, get(exec, exec->propertyNames().prototype));
+    if (info.implementsDefaultHasInstance()) {
+        JSValue prototype = get(exec, exec->propertyNames().prototype);
+        RETURN_IF_EXCEPTION(scope, false);
+        return defaultHasInstance(exec, value, prototype);
+    }
     if (info.implementsHasInstance())
         return methodTable(vm)->customHasInstance(this, exec, value);
     throwException(exec, scope, createInvalidInstanceofParameterErrorNotFunction(exec, this));
@@ -2052,7 +2055,10 @@ bool JSObject::hasInstance(ExecState* exec, JSValue value, JSValue hasInstanceVa
 
 bool JSObject::hasInstance(ExecState* exec, JSValue value)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue hasInstanceValue = get(exec, exec->propertyNames().hasInstanceSymbol);
+    RETURN_IF_EXCEPTION(scope, false);
 
     return hasInstance(exec, value, hasInstanceValue);
 }