ref: 78e56b78544106b4639189b4e967d77305ebc183
parent: eed8a67a496bedd388858b45dab2b7210bdedd6e
author: Tor Andersson <[email protected]>
date: Mon Dec 6 10:54:04 EST 2021
Bug 704748: Save original object in stack slot for returning after constructor. The object in the 'this' slot may be overwritten if the constructor converts it to a primitive value. Save the original object in an explicit stack slot to keep it safe for returning afterwards.
--- a/jsrun.c
+++ b/jsrun.c
@@ -1195,6 +1195,10 @@
if (n > 0)
js_rot(J, n + 1);
+ /* and save a copy to return */
+ js_pushobject(J, newobj);
+ js_rot(J, n + 3);
+
/* call the function */
js_call(J, n);
@@ -1201,7 +1205,8 @@
/* if result is not an object, return the original object we created */
if (!js_isobject(J, -1)) {
js_pop(J, 1);
- js_pushobject(J, newobj);
+ } else {
+ js_rot2pop1(J);
}
}