Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-19 16:25:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1530687 - Check for recursion when delegating instanceof to a bound function target. r=anba

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D25409

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Jason Orendorff 2019-04-02 09:46:03 +00:00
parent c9ad0cdcc7
commit 1b93cfd3a6
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
js/src/tests/non262/operators/instanceof-bound-function-recursion.js Normal file
View File

@ -0,0 +1,21 @@
function f() {}
var fn = f;
for (var i = 0; i < 100000; ++i) {
fn = fn.bind();
// Ensure we don't fallback to @@hasInstance from %FunctionPrototype%.
Object.defineProperty(fn, Symbol.hasInstance, {
value: undefined, writable: true, enumerable: true, writable: true
});
// Prevent generating overlong names of the form "bound bound bound [...] f".
Object.defineProperty(fn, "name", {
value: "", writable: true, enumerable: true, writable: true
});
}
assertThrowsInstanceOf(
() => ({}) instanceof fn,
Error,
"detect runaway recursion delegating instanceof to bound function target");

3
js/src/vm/JSFunction.cpp
View File

@ -720,6 +720,9 @@ bool JS::OrdinaryHasInstance(JSContext* cx, HandleObject objArg, HandleValue v,
/* Step 2. */
if (obj->is<JSFunction>() && obj->isBoundFunction()) {
/* Steps 2a-b. */
if (!CheckRecursionLimit(cx)) {
return false;
}
obj = obj->as<JSFunction>().getBoundFunctionTarget();
return InstanceofOperator(cx, obj, v, bp);
}