Revision: 6450
Author: [email protected]
Date: Tue Jan 25 00:48:59 2011
Log: Another fix for leaking error objects. User code can overwrite
ReferenceError.prototype.__proto__ which will make "error instanceof
Error" fail. However, the ReferenceError.prototype object itself
cannot be modified. Therefore, the error checks must check for
concrete error instances instead of only checking for Error.
Review URL: http://codereview.chromium.org/6388003
http://code.google.com/p/v8/source/detail?r=6450
Modified:
/branches/bleeding_edge/src/messages.js
/branches/bleeding_edge/test/cctest/test-api.cc
=======================================
--- /branches/bleeding_edge/src/messages.js Mon Jan 24 10:13:18 2011
+++ /branches/bleeding_edge/src/messages.js Tue Jan 25 00:48:59 2011
@@ -88,6 +88,22 @@
}
return result;
}
+
+
+// To check if something is a native error we need to check the
+// concrete native error types. It is not enough to check "obj
+// instanceof $Error" because user code can replace
+// NativeError.prototype.__proto__. User code cannot replace
+// NativeError.prototype though and therefore this is a safe test.
+function IsNativeErrorObject(obj) {
+ return (obj instanceof $Error) ||
+ (obj instanceof $EvalError) ||
+ (obj instanceof $RangeError) ||
+ (obj instanceof $ReferenceError) ||
+ (obj instanceof $SyntaxError) ||
+ (obj instanceof $TypeError) ||
+ (obj instanceof $URIError);
+}
// When formatting internally created error messages, do not
@@ -95,7 +111,7 @@
// the error to string method. This is to avoid leaking error
// objects between script tags in a browser setting.
function ToStringCheckErrorObject(obj) {
- if (obj instanceof $Error) {
+ if (IsNativeErrorObject(obj)) {
return %_CallFunction(obj, errorToString);
} else {
return ToString(obj);
=======================================
--- /branches/bleeding_edge/test/cctest/test-api.cc Sun Jan 23 23:59:40 2011
+++ /branches/bleeding_edge/test/cctest/test-api.cc Tue Jan 25 00:48:59 2011
@@ -2383,6 +2383,10 @@
CompileRun("asdf;");
CompileRun("ReferenceError.prototype.constructor = void 0;");
CompileRun("asdf;");
+ CompileRun("ReferenceError.prototype.__proto__ = new Object();");
+ CompileRun("asdf;");
+ CompileRun("ReferenceError.prototype = new Object();");
+ CompileRun("asdf;");
v8::Handle<Value> string = CompileRun("try { asdf; } catch(e) { e + '';
}");
CHECK(string->Equals(v8_str("Whoops")));
v8::V8::RemoveMessageListeners(check_message);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
