зеркало из https://github.com/mozilla/gecko-dev.git
Bug 469761 - Protect against apply on a non-function. r=gal
This commit is contained in:
Родитель
2f7877450d
Коммит
ec5bb5b286
|
@ -6539,6 +6539,12 @@ TraceRecorder::guardCallee(jsval& callee)
|
|||
LIns* exit = snapshot(BRANCH_EXIT);
|
||||
JSObject* callee_obj = JSVAL_TO_OBJECT(callee);
|
||||
LIns* callee_ins = get(&callee);
|
||||
|
||||
/*
|
||||
* NB: The following guard guards at runtime that the callee is a
|
||||
* function. Even if the given value is an object that doesn't have
|
||||
* a private slot, the value we're matching against is not forgeable.
|
||||
*/
|
||||
guard(true,
|
||||
lir->ins2(LIR_eq,
|
||||
lir->ins2(LIR_piand,
|
||||
|
@ -6692,6 +6698,10 @@ TraceRecorder::record_JSOP_APPLY()
|
|||
ABORT_TRACE("apply or call across stack-chunks");
|
||||
}
|
||||
|
||||
/* Protect against a non-function callee. */
|
||||
if (!VALUE_IS_FUNCTION(cx, vp[1]))
|
||||
ABORT_TRACE("apply on a non-function");
|
||||
|
||||
/*
|
||||
* Guard on the identity of this, which is the function we
|
||||
* are applying.
|
||||
|
|
Загрузка…
Ссылка в новой задаче