Another fix for leaking error objects. User code can overwrite

ReferenceError.prototype.__proto__ which will make "error instanceof Error" fail. However, the ReferenceError.prototype object itself cannot be modified. Therefore, the error checks must check for concrete error instances instead of only checking for Error. Review URL: http://codereview.chromium.org/6388003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Another fix for leaking error objects. User code can overwrite
ReferenceError.prototype.__proto__ which will make "error instanceof Error" fail. However, the ReferenceError.prototype object itself cannot be modified. Therefore, the error checks must check for concrete error instances instead of only checking for Error. Review URL: http://codereview.chromium.org/6388003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
d69ef26f · ager@chromium.org · d5cab38a · d69ef26f · d69ef26f
Commit d69ef26f authored Jan 25, 2011 by ager@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 1 deletion

messages.js src/messages.js +17 -1

test-api.cc test/cctest/test-api.cc +4 -0

No files found.
--- a/src/messages.js
+++ b/src/messages.js
@@ -90,12 +90,28 @@ function FormatString(format, args) {
 }


+// To check if something is a native error we need to check the
+// concrete native error types. It is not enough to check "obj
+// instanceof $Error" because user code can replace
+// NativeError.prototype.__proto__. User code cannot replace
+// NativeError.prototype though and therefore this is a safe test.
+function IsNativeErrorObject(obj) {
+  return (obj instanceof $Error) ||
+      (obj instanceof $EvalError) ||
+      (obj instanceof $RangeError) ||
+      (obj instanceof $ReferenceError) ||
+      (obj instanceof $SyntaxError) ||
+      (obj instanceof $TypeError) ||
+      (obj instanceof $URIError);
+}
+
+
 // When formatting internally created error messages, do not
 // invoke overwritten error toString methods but explicitly use
 // the error to string method. This is to avoid leaking error
 // objects between script tags in a browser setting.
 function ToStringCheckErrorObject(obj) {
-  if (obj instanceof $Error) {
+  if (IsNativeErrorObject(obj)) {
    return %_CallFunction(obj, errorToString);
  } else {
    return ToString(obj);

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -2383,6 +2383,10 @@ TEST(APIThrowMessageOverwrittenToString) {
  CompileRun("asdf;");
  CompileRun("ReferenceError.prototype.constructor = void 0;");
  CompileRun("asdf;");
+  CompileRun("ReferenceError.prototype.__proto__ = new Object();");
+  CompileRun("asdf;");
+  CompileRun("ReferenceError.prototype = new Object();");
+  CompileRun("asdf;");
  v8::Handle<Value> string = CompileRun("try { asdf; } catch(e) { e + ''; }");
  CHECK(string->Equals(v8_str("Whoops")));
  v8::V8::RemoveMessageListeners(check_message);