Revision: 22065
Author: [email protected]
Date: Fri Jun 27 13:50:37 2014 UTC
Log: Don't leak the global object in the Function constructor.
BUG=
[email protected]
Review URL: https://codereview.chromium.org/359713005
http://code.google.com/p/v8/source/detail?r=22065
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-function-constructor-receiver.js
Modified:
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /dev/null
+++
/branches/bleeding_edge/test/mjsunit/regress/regress-function-constructor-receiver.js
Fri Jun 27 13:50:37 2014 UTC
@@ -0,0 +1,17 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Return the raw CallSites array.
+Error.prepareStackTrace = function (a,b) { return b; };
+
+var threw = false;
+try {
+ new Function({toString:0,valueOf:0});
+} catch (e) {
+ threw = true;
+ // Ensure that the receiver during "new Function" is the global proxy.
+ assertEquals(this, e.stack[0].getThis());
+}
+
+assertTrue(threw);
=======================================
--- /branches/bleeding_edge/src/runtime.cc Fri Jun 27 13:48:37 2014 UTC
+++ /branches/bleeding_edge/src/runtime.cc Fri Jun 27 13:50:37 2014 UTC
@@ -8221,7 +8221,7 @@
// instead of a new JSFunction object. This way, errors are
// reported the same way whether or not 'Function' is called
// using 'new'.
- return isolate->context()->global_object();
+ return isolate->context()->global_proxy();
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
