Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Unofficial mirror of the WebKit SVN repository
HTML C++ JavaScript Objective-C++ C Python Other

Make Builtin functions non constructible

https://bugs.webkit.org/show_bug.cgi?id=143923

Reviewed by Darin Adler.

Builtin functions defined by builtins/*.js accidentally have [[Construct]].
According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.

Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
So in this patch, we check `isBuiltinFunction()` in those places.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::inliningCost):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/JSFunction.cpp:
(JSC::JSFunction::getConstructData):
* tests/stress/builtin-function-is-construct-type-none.js: Added.
(shouldThrow):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@182995 268f45cc-cd09-0410-ab3c-d52691b4dbfc
latest commit d62dbe0b44
utatane.tea@gmail.com authored
Something went wrong with that request. Please try again.