Skip to content

Commit 63febdb

Browse files
dilijevdilijev
committed
[MERGE chakra-core#909] Don't try to create a RecyclableObject::FromVar without checking that the Var is in fact a RecyclableObject first.
Merge pull request chakra-core#909 from dilijev:fromvar Fixes issue introduced in chakra-core#886 Fixes VSO 7399962
2 parents 38fa2e6 + efc0772 commit 63febdb

3 files changed

Lines changed: 57 additions & 2 deletions

File tree

lib/Runtime/Language/JavascriptOperators.cpp

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8823,8 +8823,9 @@ namespace Js
88238823

88248824
BOOL JavascriptOperators::ToPropertyDescriptor(Var propertySpec, PropertyDescriptor* descriptor, ScriptContext* scriptContext)
88258825
{
8826-
if (JavascriptProxy::Is(propertySpec) ||
8827-
JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject::FromVar(propertySpec)->GetPrototype()))
8826+
if (JavascriptProxy::Is(propertySpec) || (
8827+
RecyclableObject::Is(propertySpec) &&
8828+
JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject::FromVar(propertySpec)->GetPrototype())))
88288829
{
88298830
if (ToPropertyDescriptorForProxyObjects(propertySpec, descriptor, scriptContext) == FALSE)
88308831
{

test/Object/propertyDescriptorNonObject.js

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
//-------------------------------------------------------------------------------------------------------
2+
// Copyright (C) Microsoft. All rights reserved.
3+
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
4+
//-------------------------------------------------------------------------------------------------------
5+
6+
WScript.LoadScriptFile("..\\UnitTestFramework\\UnitTestFramework.js");
7+
8+
var tests = [
9+
{
10+
name: "Object.create with propertyDescriptor containing non-object keys",
11+
body: function() {
12+
assert.throws(function() { Object.create({}, {a: 0}) },
13+
TypeError,
14+
"Should throw TypeError because property 'a' is not an object.",
15+
"Invalid descriptor for property 'a'")
16+
}
17+
},
18+
{
19+
name: "Object.defineProperty with number for propertyDescriptor",
20+
body: function() {
21+
assert.throws(function() { Object.defineProperty({}, "x", 0) },
22+
TypeError,
23+
"Should throw TypeError because property 'x' is a number.",
24+
"Invalid descriptor for property 'x'")
25+
}
26+
},
27+
{
28+
name: "Object.create with array of non-objects for propertyDescriptor",
29+
body: function() {
30+
assert.throws(function() { Object.create({}, [0]) },
31+
TypeError,
32+
"Should throw TypeError because propertyDescriptor is an array containing non-objects.",
33+
"Invalid descriptor for property '0'")
34+
}
35+
},
36+
{
37+
name: "Object.create in sloppy mode with `this` as a propertyDescriptor when it contains non-object properties",
38+
body: function() {
39+
a = 0;
40+
assert.throws(function() { Object.create({}, this) },
41+
TypeError,
42+
"Should throw TypeError because property 'a' is defined on `this` and is a non-object.",
43+
"Invalid descriptor for property 'a'")
44+
}
45+
},
46+
];
47+
48+
testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });

test/Object/rlexe.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,12 @@
5656
<tags>Slow</tags>
5757
</default>
5858
</test>
59+
<test>
60+
<default>
61+
<files>propertyDescriptorNonObject.js</files>
62+
<compile-flags>-args summary -endargs</compile-flags>
63+
</default>
64+
</test>
5965
<test>
6066
<default>
6167
<files>toLocaleString2.js</files>

0 commit comments

Comments
 (0)