]> git.kaiwu.me - njs.git/commitdiff
Fixed njs_vmcode_property_init().
authorDmitry Volyntsev <xeioex@nginx.com>
Mon, 12 Aug 2019 11:54:46 +0000 (14:54 +0300)
committerDmitry Volyntsev <xeioex@nginx.com>
Mon, 12 Aug 2019 11:54:46 +0000 (14:54 +0300)
Function assumed obj->__proto__ is never NULL, whereas it can become
NULL after __proto__: null assignment.

src/njs_vmcode.c
src/test/njs_unit_test.c

index a5f16d85281ad42a578492e1cf2c4f4681dd7194..fc07ebf2704e46e2733ae3677d8394e85cafc592 100644 (file)
@@ -1136,18 +1136,21 @@ njs_vmcode_property_init(njs_vm_t *vm, njs_value_t *value, njs_value_t *key,
 
         obj = njs_object(value);
 
-        ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq);
-        if (ret == NJS_OK) {
-            prop = lhq.value;
+        if (obj->__proto__ != NULL) {
+            /* obj->__proto__ can be NULL after __proto__: null assignment */
+            ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq);
+            if (ret == NJS_OK) {
+                prop = lhq.value;
 
-            if (prop->type == NJS_PROPERTY_HANDLER) {
-                ret = prop->value.data.u.prop_handler(vm, value, init,
-                                                      &vm->retval);
-                if (njs_slow_path(ret != NJS_OK)) {
-                    return ret;
-                }
+                if (prop->type == NJS_PROPERTY_HANDLER) {
+                    ret = prop->value.data.u.prop_handler(vm, value, init,
+                                                          &vm->retval);
+                    if (njs_slow_path(ret != NJS_OK)) {
+                        return ret;
+                    }
 
-                break;
+                    break;
+                }
             }
         }
 
index f29a8b0ead15b1c6f08c9db7a1b3558f1922fb79..2eb02eadd785b26e816d586031775a8899d694ed 100644 (file)
@@ -8776,6 +8776,12 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("({}).__proto__ = null"),
       njs_str("null") },
 
+    { njs_str("({__proto__:null}).__proto__"),
+      njs_str("undefined") },
+
+    { njs_str("({__proto__:null, a:1}).a"),
+      njs_str("1") },
+
     { njs_str("({__proto__: []}) instanceof Array"),
       njs_str("true") },