зеркало из https://github.com/mozilla/gecko-dev.git
Bug 469761 - Protect against apply on a non-function. r=gal
This commit is contained in:
Родитель
2f7877450d
Коммит
ec5bb5b286
|
@ -6539,6 +6539,12 @@ TraceRecorder::guardCallee(jsval& callee)
|
||||||
LIns* exit = snapshot(BRANCH_EXIT);
|
LIns* exit = snapshot(BRANCH_EXIT);
|
||||||
JSObject* callee_obj = JSVAL_TO_OBJECT(callee);
|
JSObject* callee_obj = JSVAL_TO_OBJECT(callee);
|
||||||
LIns* callee_ins = get(&callee);
|
LIns* callee_ins = get(&callee);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NB: The following guard guards at runtime that the callee is a
|
||||||
|
* function. Even if the given value is an object that doesn't have
|
||||||
|
* a private slot, the value we're matching against is not forgeable.
|
||||||
|
*/
|
||||||
guard(true,
|
guard(true,
|
||||||
lir->ins2(LIR_eq,
|
lir->ins2(LIR_eq,
|
||||||
lir->ins2(LIR_piand,
|
lir->ins2(LIR_piand,
|
||||||
|
@ -6692,6 +6698,10 @@ TraceRecorder::record_JSOP_APPLY()
|
||||||
ABORT_TRACE("apply or call across stack-chunks");
|
ABORT_TRACE("apply or call across stack-chunks");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Protect against a non-function callee. */
|
||||||
|
if (!VALUE_IS_FUNCTION(cx, vp[1]))
|
||||||
|
ABORT_TRACE("apply on a non-function");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Guard on the identity of this, which is the function we
|
* Guard on the identity of this, which is the function we
|
||||||
* are applying.
|
* are applying.
|
||||||
|
|
Загрузка…
Ссылка в новой задаче