Reviewers: Søren Gjesse,
Description:
Another fix for leaking error objects. User code can overwrite
ReferenceError.prototype.__proto__ which will make "error instanceof
Error" fail. However, the ReferenceError.prototype object itself
cannot be modified. Therefore, the error checks must check for
concrete error instances instead of only checking for Error.
Please review this at http://codereview.chromium.org/6388003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/messages.js
M test/cctest/test-api.cc
Index: src/messages.js
diff --git a/src/messages.js b/src/messages.js
index
2d8eb8e86b45b0acb21ab941b6aaf6ad146fbca1..24b642fb8373e25b507aa3b201ec0a15f7659f08
100644
--- a/src/messages.js
+++ b/src/messages.js
@@ -90,12 +90,28 @@ function FormatString(format, args) {
}
+// To check if something is a native error we need to check the
+// concrete native error types. It is not enough to check "obj
+// instanceof $Error" because user code can replace
+// NativeError.prototype.__proto__. User code cannot replace
+// NativeError.prototype though and therefore this is a safe test.
+function IsNativeErrorObject(obj) {
+ return (obj instanceof $Error) ||
+ (obj instanceof $EvalError) ||
+ (obj instanceof $RangeError) ||
+ (obj instanceof $ReferenceError) ||
+ (obj instanceof $SyntaxError) ||
+ (obj instanceof $TypeError) ||
+ (obj instanceof $URIError);
+}
+
+
// When formatting internally created error messages, do not
// invoke overwritten error toString methods but explicitly use
// the error to string method. This is to avoid leaking error
// objects between script tags in a browser setting.
function ToStringCheckErrorObject(obj) {
- if (obj instanceof $Error) {
+ if (IsNativeErrorObject(obj)) {
return %_CallFunction(obj, errorToString);
} else {
return ToString(obj);
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index
de00fbba4635a2543775d74ba5e3efa5d8367a43..90f499674299768599b7986e8674a487fe54c10f
100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -2383,6 +2383,10 @@ TEST(APIThrowMessageOverwrittenToString) {
CompileRun("asdf;");
CompileRun("ReferenceError.prototype.constructor = void 0;");
CompileRun("asdf;");
+ CompileRun("ReferenceError.prototype.__proto__ = new Object();");
+ CompileRun("asdf;");
+ CompileRun("ReferenceError.prototype = new Object();");
+ CompileRun("asdf;");
v8::Handle<Value> string = CompileRun("try { asdf; } catch(e) { e + '';
}");
CHECK(string->Equals(v8_str("Whoops")));
v8::V8::RemoveMessageListeners(check_message);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
