RESOLVED FIXED 6322
DateProtoFuncImp::callAsFunction can crash due to lack of type checking 
https://bugs.webkit.org/show_bug.cgi?id=6322
Summary DateProtoFuncImp::callAsFunction can crash due to lack of type checking
Maks Orlovich
Reported 2006-01-01 09:13:40 PST
DateProtoFuncImp::callAsFunction will call internalValue->toNumber on most inputs, w/o checking the type. This can a) crash (see below) b) seems wrong since I do not see it in the spec that most methods of Date.prototype should be generic. Sample testcase: Math.__proto__.crash = Date.prototype.getDate; Math.crash(); (spotted when trying to push internalValue further down into hierarchy)
Attachments
reduction (626 bytes, text/html)
2006-01-13 17:19 PST, Geoffrey Garen 		no flags
Details
Fix (4.19 KB, patch)
2006-01-13 17:51 PST, Geoffrey Garen 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alice Liu
Comment 1 2006-01-11 17:06:53 PST
<rdar://problem/4406070>
Geoffrey Garen
Comment 2 2006-01-13 17:19:13 PST
Created attachment 5650 [details] reduction Attached reduction.
Geoffrey Garen
Comment 3 2006-01-13 17:26:37 PST
15.9.5 Properties of the Date Prototype Object None of these functions are generic; a TypeError exception is thrown if the this value is not an object for which the value of the internal [[Class]] property is "Date".
Geoffrey Garen
Comment 4 2006-01-13 17:51:50 PST
Created attachment 5651 [details] Fix Three cheers for the delete key. 0 regressions found. 0 tests fixed.
Darin Adler
Comment 5 2006-01-13 22:52:08 PST
Comment on attachment 5651 [details] Fix Would be nice to test all the methods instead of just getDate. r=me
Geoffrey Garen
Comment 6 2006-01-16 18:19:14 PST
Landed with tests for all methods but valueOf, which seems to confuse our test engine. Will file new bug about that.
Note You need to log in before you can comment on or make changes to this bug.