Fix free of NULL value in function ecma_typedarray_helper_dispatch_construct (#4473)

lygstate · web-flow · commit 90d206dceefc · 2021-01-18T10:35:47.000+01:00
Currently, ecma_op_get_prototype_from_constructor may return NULL and the function didn't raise that exception. Also optimize multiple assignment of prototype_obj_p and multiple access of JERRY_CONTEXT (current_new_target) out. This fixes #4463 JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo luoyonggang@gmail.com
diff --git a/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c b/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c
@@ -40,11 +40,20 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
 {
   JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL);
   ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);
-  ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);
+  ecma_object_t *prototype_obj_p = NULL;
+  ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target_p);
 
-  if (JERRY_CONTEXT (current_new_target_p))
+  if (current_new_target_p != NULL)
   {
-    prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target_p), proto_id);
+    prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);
+    if (prototype_obj_p == NULL)
+    {
+      return ECMA_VALUE_ERROR;
+    }
+  }
+  else
+  {
+    prototype_obj_p = ecma_builtin_get (proto_id);
   }
 
   ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,
@@ -53,7 +62,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
                                                 ecma_typedarray_helper_get_shift_size (typedarray_id),
                                                 typedarray_id);
 
-  if (JERRY_CONTEXT (current_new_target_p))
+  if (current_new_target_p != NULL)
   {
     ecma_deref_object (prototype_obj_p);
   }
diff --git a/tests/jerry/es.next/regression-test-issue-4463.js b/tests/jerry/es.next/regression-test-issue-4463.js
@@ -0,0 +1,50 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+function Test262Error(message) {
+  this.message = message || "";
+}
+
+Test262Error.prototype.toString = function () {
+  return "Test262Error: " + this.message;
+};
+
+var newTarget = function () {}.bind(null);
+Object.defineProperty(newTarget, "prototype", {
+  get() {
+    throw new Test262Error();
+  },
+});
+
+var typedArrayConstructors = [
+  Float64Array,
+  Float32Array,
+  Int32Array,
+  Int16Array,
+  Int8Array,
+  Uint32Array,
+  Uint16Array,
+  Uint8Array,
+  Uint8ClampedArray,
+];
+
+for (var type of typedArrayConstructors) {
+  try {
+    Reflect.construct(Uint8ClampedArray, [], newTarget);
+  } catch (error) {
+    if (!(error instanceof Test262Error)) {
+      throw "error must be instanceof Test262Error";
+    }
+  }
+}
diff --git a/tests/test262-esnext-excludelist.xml b/tests/test262-esnext-excludelist.xml
@@ -198,24 +198,14 @@
   <test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/get-length-uses-internal-arraylength.js"><reason></reason></test>
   <test id="built-ins/TypedArray/prototype/toLocaleString/BigInt/return-result.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/defined-negative-length.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors-bigint/length-arg/toindex-length.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/no-args/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/object-arg/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors-bigint/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/byteoffset-is-negative-zero.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/defined-negative-length.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/buffer-arg/toindex-byteoffset.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/length-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/length-arg/toindex-length.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/no-args/custom-proto-access-throws.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/object-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/ctors/object-arg/returns.js"><reason></reason></test>
-  <test id="built-ins/TypedArrayConstructors/ctors/typedarray-arg/custom-proto-access-throws.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor-returns-other-instance.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/custom-ctor.js"><reason></reason></test>
   <test id="built-ins/TypedArrayConstructors/from/BigInt/new-instance-using-custom-ctor.js"><reason></reason></test>

Original file line number	Diff line number	Diff line change
`@@ -40,11 +40,20 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,`
`40`	`40`	`{`
`41`	`41`	`JERRY_ASSERT (arguments_list_len == 0 \|\| arguments_list_p != NULL);`
`42`	`42`	`ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);`
`43`		`- ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);`
	`43`	`+ ecma_object_t *prototype_obj_p = NULL;`
	`44`	`+ ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target_p);`
`44`	`45`
`45`		`- if (JERRY_CONTEXT (current_new_target_p))`
	`46`	`+ if (current_new_target_p != NULL)`
`46`	`47`	`{`
`47`		`- prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target_p), proto_id);`
	`48`	`+ prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);`
	`49`	`+ if (prototype_obj_p == NULL)`
	`50`	`+ {`
	`51`	`+ return ECMA_VALUE_ERROR;`
	`52`	`+ }`
	`53`	`+ }`
	`54`	`+ else`
	`55`	`+ {`
	`56`	`+ prototype_obj_p = ecma_builtin_get (proto_id);`
`48`	`57`	`}`
`49`	`58`
`50`	`59`	`ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,`
`@@ -53,7 +62,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,`
`53`	`62`	`ecma_typedarray_helper_get_shift_size (typedarray_id),`
`54`	`63`	`typedarray_id);`
`55`	`64`
`56`		`- if (JERRY_CONTEXT (current_new_target_p))`
	`65`	`+ if (current_new_target_p != NULL)`
`57`	`66`	`{`
`58`	`67`	`ecma_deref_object (prototype_obj_p);`
`59`	`68`	`}`