Fix instanceof to throw a TypeError if the RHS doesn't have a [[HasInstance]] internal method, per ECMA-262 Ed. 3 (r=shaver).

2024-10-13 13:25:37 +00:00 · 2005-02-24 00:06:43 +00:00 · 2005-02-24 00:06:43 +00:00 · 8e1b9d4f60
commit 8e1b9d4f60
parent e180302d71
2 changed files with 18 additions and 13 deletions
--- a/js/src/jsinterp.c
+++ b/js/src/jsinterp.c
@ -3190,11 +3190,11 @@ js_Interpret(JSContext *cx, jsbytecode *pc, jsval *result)
            break;

          case JSOP_TYPEOF:
-            rval = POP_OPND();
+            rval = FETCH_OPND(-1);
+            SAVE_SP(fp);
            type = JS_TypeOfValue(cx, rval);
            atom = rt->atomState.typeAtoms[type];
-            str  = ATOM_TO_STRING(atom);
-            PUSH_OPND(STRING_TO_JSVAL(str));
+            STORE_OPND(-1, ATOM_KEY(atom));
            break;

          case JSOP_VOID:
@ -4894,7 +4894,8 @@ js_Interpret(JSContext *cx, jsbytecode *pc, jsval *result)
 #if JS_HAS_INSTANCEOF
          case JSOP_INSTANCEOF:
            rval = FETCH_OPND(-1);
-            if (JSVAL_IS_PRIMITIVE(rval)) {
+            if (JSVAL_IS_PRIMITIVE(rval) ||
+                !(obj = JSVAL_TO_OBJECT(rval))->map->ops->hasInstance) {
                SAVE_SP(fp);
                str = js_DecompileValueGenerator(cx, -1, rval, NULL);
                if (str) {
@ -4905,15 +4906,12 @@ js_Interpret(JSContext *cx, jsbytecode *pc, jsval *result)
                ok = JS_FALSE;
                goto out;
            }
-            obj = JSVAL_TO_OBJECT(rval);
            lval = FETCH_OPND(-2);
            cond = JS_FALSE;
-            if (obj->map->ops->hasInstance) {
-                SAVE_SP(fp);
-                ok = obj->map->ops->hasInstance(cx, obj, lval, &cond);
-                if (!ok)
-                    goto out;
-            }
+            SAVE_SP(fp);
+            ok = obj->map->ops->hasInstance(cx, obj, lval, &cond);
+            if (!ok)
+                goto out;
            sp--;
            STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond));
            break;
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@ -3541,6 +3541,7 @@ JSBool
 js_HasInstance(JSContext *cx, JSObject *obj, jsval v, JSBool *bp)
 {
    JSClass *clasp;
+    JSString *str;

    clasp = OBJ_GET_CLASS(cx, obj);
    if (clasp->hasInstance)
@ -3561,8 +3562,14 @@ js_HasInstance(JSContext *cx, JSObject *obj, jsval v, JSBool *bp)
        }
    }
 #endif
-    *bp = JS_FALSE;
-    return JS_TRUE;
+    str = js_DecompileValueGenerator(cx, JSDVG_SEARCH_STACK,
+                                     OBJECT_TO_JSVAL(obj), NULL);
+    if (str) {
+        JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
+                             JSMSG_BAD_INSTANCEOF_RHS,
+                             JS_GetStringBytes(str));
+    }
+    return JS_FALSE;
 }

 JSBool