Don't leak the global object in the Function constructor.

BUG= R=dcarney@chromium.org Review URL: https://codereview.chromium.org/359713005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22065 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Don't leak the global object in the Function constructor.
BUG= R=dcarney@chromium.org Review URL: https://codereview.chromium.org/359713005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22065 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
8945c698 · verwaest@chromium.org · 63431b23 · 8945c698 · 8945c698
Commit 8945c698 authored Jun 27, 2014 by verwaest@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

runtime.cc src/runtime.cc +1 -1

regress-function-constructor-receiver.js .../mjsunit/regress/regress-function-constructor-receiver.js +17 -0

No files found.
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -8221,7 +8221,7 @@ static Object* Runtime_NewObjectHelper(Isolate* isolate,
      // instead of a new JSFunction object. This way, errors are
      // reported the same way whether or not 'Function' is called
      // using 'new'.
-      return isolate->context()->global_object();
+      return isolate->context()->global_proxy();
    }
  }


--- a/test/mjsunit/regress/regress-function-constructor-receiver.js
+++ b/test/mjsunit/regress/regress-function-constructor-receiver.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Return the raw CallSites array.
+Error.prepareStackTrace = function (a,b) { return b; };
+
+var threw = false;
+try {
+  new Function({toString:0,valueOf:0});
+} catch (e) {
+  threw = true;
+  // Ensure that the receiver during "new Function" is the global proxy.
+  assertEquals(this, e.stack[0].getThis());
+}
+
+assertTrue(threw);