Fix free of NULL value in function ecma_typedarray_helper_dispatch_construct

Currently, ecma_op_get_prototype_from_constructor may return NULL
and the function didn't raise that exception.
Also optimize multiple assignment of prototype_obj_p and
multiple access of JERRY_CONTEXT (current_new_target) out.

This fixes jerryscript-project#4463

JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo [email protected]

Author: lygstate

jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c

@@ -20,6 +20,7 @@
 #include "ecma-builtins.h"
 #include "ecma-gc.h"
 #include "ecma-objects.h"
+#include "ecma-exceptions.h"
 #include "ecma-typedarray-object.h"
 #include "ecma-function-object.h"
 #include "jcontext.h"
@@ -40,11 +41,24 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
 {
   JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL);
   ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id);
-  ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id);
+  ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target);
+  ecma_object_t *prototype_obj_p;
 
-  if (JERRY_CONTEXT (current_new_target))
+  if (current_new_target_p != NULL)
   {
-    prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target), proto_id);
+    prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id);
+    if (prototype_obj_p == NULL)
+    {
+      if (jcontext_has_pending_exception ())
+      {
+        return ECMA_VALUE_ERROR;
+      }
+      return ecma_raise_type_error (ECMA_ERR_MSG ("TypedArray constructor should have prototype"));
+    }
+  }
+  else
+  {
+    prototype_obj_p = ecma_builtin_get (proto_id);
   }
 
   ecma_value_t val = ecma_op_create_typedarray (arguments_list_p,
@@ -53,7 +67,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p,
                                                 ecma_typedarray_helper_get_shift_size (typedarray_id),
                                                 typedarray_id);
 
-  if (JERRY_CONTEXT (current_new_target))
+  if (current_new_target_p != NULL)
   {
     ecma_deref_object (prototype_obj_p);
   }

tests/jerry/regression-test-issue-4463.js

@@ -0,0 +1,50 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+function Test262Error(message) {
+  this.message = message || "";
+}
+
+Test262Error.prototype.toString = function () {
+  return "Test262Error: " + this.message;
+};
+
+var newTarget = function () {}.bind(null);
+Object.defineProperty(newTarget, "prototype", {
+  get() {
+    throw new Test262Error();
+  },
+});
+
+var typedArrayConstructors = [
+  Float64Array,
+  Float32Array,
+  Int32Array,
+  Int16Array,
+  Int8Array,
+  Uint32Array,
+  Uint16Array,
+  Uint8Array,
+  Uint8ClampedArray,
+];
+
+for (var type of typedArrayConstructors) {
+  try {
+    Reflect.construct(Uint8ClampedArray, [], newTarget);
+  } catch (error) {
+    if (!(error instanceof Test262Error)) {
+      throw "error must be instanceof Test262Error";
+    }
+  }
+}