Don't leak the global object in the Function constructor.

BUG=
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/359713005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22065 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/runtime.cc b/src/runtime.cc
index 53f88f1..229e21a 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -8221,7 +8221,7 @@ static Object* Runtime_NewObjectHelper(Isolate* isolate,
       // instead of a new JSFunction object. This way, errors are
       // reported the same way whether or not 'Function' is called
       // using 'new'.
-      return isolate->context()->global_object();
+      return isolate->context()->global_proxy();
     }
   }
 

diff --git a/test/mjsunit/regress/regress-function-constructor-receiver.js b/test/mjsunit/regress/regress-function-constructor-receiver.js
new file mode 100644 (file)
index 0000000..f345435
--- /dev/null
+++ b/test/mjsunit/regress/regress-function-constructor-receiver.js
@@ -0,0 +1,17 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Return the raw CallSites array.
+Error.prepareStackTrace = function (a,b) { return b; };
+
+var threw = false;
+try {
+  new Function({toString:0,valueOf:0});
+} catch (e) {
+  threw = true;
+  // Ensure that the receiver during "new Function" is the global proxy.
+  assertEquals(this, e.stack[0].getThis());
+}
+
+assertTrue(threw);