Bug 1282332 - Refuse to parse display names with unquoted, non-numeric, property names; r=jorendorff, a=lizzard
authorMorgan Phillips <winter2718@gmail.com>
Mon, 27 Jun 2016 03:29:08 +0100
changeset 339912 b27163b500de7b81f75bcb1116e25b55ba577524
parent 339911 dbd97076d10694525fd68868ea18d643775014f0
child 339913 872545dddeb14f79143049bfce8ff74142721381
push id6249
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 13:59:36 +0000
treeherdermozilla-beta@bad9d4f5bf7e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff, lizzard
bugs1282332
milestone49.0a2
Bug 1282332 - Refuse to parse display names with unquoted, non-numeric, property names; r=jorendorff, a=lizzard
js/src/jsfun.cpp
js/src/tests/ecma_6/Function/name.js
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -1601,23 +1601,27 @@ FunctionNameFromDisplayName(JSContext* c
                     return UnescapeSubstr(text, start, end - start, buf);
                 }
             }
 
             // We should never fail to find the beginning of a square bracket.
             MOZ_ASSERT(0);
             break;
         } else if (text[index] == (TextChar)']') {
-            // Here we're dealing with an unquoted numeric value so we can
-            // just skip to the closing bracket to save some work.
+            // Here we expect an unquoted numeric value. If that's the case
+            // we can just skip to the closing bracket to save some work.
             for (size_t j = 0; j < index; j++) {
-                if (text[(index - j) - 1] == (TextChar)'[') {
+                TextChar numeral = text[(index - j) - 1];
+                if (numeral == (TextChar)'[') {
                     start = index - j;
                     end = index;
                     break;
+                } else if (numeral > (TextChar)'9' || numeral < (TextChar)'0') {
+                    // Fail on anything that isn't a numeral (Bug 1282332).
+                    return false;
                 }
             }
             break;
         }
     }
 
     for (size_t i = start; i < end; i++) {
         if (!buf.append(text[i]))
--- a/js/src/tests/ecma_6/Function/name.js
+++ b/js/src/tests/ecma_6/Function/name.js
@@ -70,9 +70,28 @@ assertEq(obj["'"].name, "'");
 assertEq(({a: () => 1}).a.name, "a");
 assertEq(({"[abba]": {3: () => 1 }})["[abba]"][3].name, "3");
 assertEq(({"[abba]": () => 1})["[abba]"].name, "[abba]");
 
 // The method retains its name when assigned.
 let zip = obj.wubba;
 assertEq(zip.name, "wubba");
 
+// (Bug 1282332) Accessed as a property based on a function name
+// This creates a tricky display name of the form: x[y[0]].
+let idaho = {0: () => 1};
+
+let planetz = {};
+planetz[idaho[0]] = () => 1;
+assertEq(planetz[idaho[0]].name, "");
+
+let moya = {};
+moya[planetz[idaho[0]]] =  () => 1;
+assertEq(moya[planetz[idaho[0]]].name, "");
+
+
+// Bound function names
+function bound() {};
+assertEq(bound.name, "bound");
+assertEq(bound.bind(Object).name, "bound bound");
+assertEq((function(){}).bind(function(){}).name, "bound ");
+
 reportCompare(0, 0, 'ok');