From 8945c6985559112ed3e2fa90957c0d32349d11e6 Mon Sep 17 00:00:00 2001 From: "verwaest@chromium.org" Date: Fri, 27 Jun 2014 13:50:37 +0000 Subject: [PATCH] Don't leak the global object in the Function constructor. BUG= R=dcarney@chromium.org Review URL: https://codereview.chromium.org/359713005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22065 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/runtime.cc | 2 +- .../regress/regress-function-constructor-receiver.js | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-function-constructor-receiver.js diff --git a/src/runtime.cc b/src/runtime.cc index 53f88f1..229e21a 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -8221,7 +8221,7 @@ static Object* Runtime_NewObjectHelper(Isolate* isolate, // instead of a new JSFunction object. This way, errors are // reported the same way whether or not 'Function' is called // using 'new'. - return isolate->context()->global_object(); + return isolate->context()->global_proxy(); } } diff --git a/test/mjsunit/regress/regress-function-constructor-receiver.js b/test/mjsunit/regress/regress-function-constructor-receiver.js new file mode 100644 index 0000000..f345435 --- /dev/null +++ b/test/mjsunit/regress/regress-function-constructor-receiver.js @@ -0,0 +1,17 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Return the raw CallSites array. +Error.prepareStackTrace = function (a,b) { return b; }; + +var threw = false; +try { + new Function({toString:0,valueOf:0}); +} catch (e) { + threw = true; + // Ensure that the receiver during "new Function" is the global proxy. + assertEquals(this, e.stack[0].getThis()); +} + +assertTrue(threw); -- 2.7.4