RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 19:38:12 +00:00
Code Issues Activity Actions

LibJS: Fix crashing exception in Value::ordinary_has_instance()

Browse source 
Two issues:

- throw_exception() with ErrorType::InstanceOfOperatorBadPrototype would
  receive rhs_prototype.to_string_without_side_effects(), which would
  ASSERT_NOT_REACHED() as to_string_without_side_effects() must not be
  called on an empty value. It should (and now does) receive the RHS
  value instead as the message is "'prototype' property of {} is not an
  object".
- Value::instance_of() was missing an exception check after calling
  has_instance_method, to_boolean() on an empty value result would crash
  as well.

Fixes #3930.
This commit is contained in:
Linus Groh 2020-11-03 17:54:57 +00:00 committed by Andreas Kling
parent c538e22516
commit 565a26808d
2 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Libraries/LibJS/Runtime/Value.cpp
View file

@ -711,8 +711,10 @@ Value instance_of(GlobalObject& global_object, Value lhs, Value rhs)
vm.throw_exception<TypeError>(global_object, ErrorType::NotAFunction, has_instance_method.to_string_without_side_effects());
return {};
}
return Value(vm.call(has_instance_method.as_function(), rhs, lhs).to_boolean());
auto has_instance_result = vm.call(has_instance_method.as_function(), rhs, lhs);
if (vm.exception())
return {};
return Value(has_instance_result.to_boolean());
}
if (!rhs.is_function()) {
@ -743,7 +745,7 @@ Value ordinary_has_instance(GlobalObject& global_object, Value lhs, Value rhs)
return {};
if (!rhs_prototype.is_object()) {
vm.throw_exception<TypeError>(global_object, ErrorType::InstanceOfOperatorBadPrototype, rhs_prototype.to_string_without_side_effects());
vm.throw_exception<TypeError>(global_object, ErrorType::InstanceOfOperatorBadPrototype, rhs.to_string_without_side_effects());
return {};
}
while (true) {