Fixed attaching of a stack to an error object.

This problem is similar to previous commits.  When
njs_error_stack_attach() accepted the value as a pointer to vm->retval
that value might be changed as a side effert of njs_error_stack_new()
evaluation.  This may result in a garbage value for
njs_object(value) expression.

The workaround fix is to make a copy of vm->retval to ensure its
intergrity and to preserve it as a retval. The proper fix is to
eliminate vm->retval altogether.

This fixes #612, #613, #616 issues on Github.

diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c
index 9181adb209182902ea74a47a9c821b2b5ec32d41..31a261c8786f3ddc551483012a72244c5109a519 100644 (file)
--- a/src/njs_vmcode.c
+++ b/src/njs_vmcode.c
@@ -1824,7 +1824,12 @@ error:
 
     if (njs_is_error(&vm->retval)) {
         vm->active_frame->native.pc = pc;
-        (void) njs_error_stack_attach(vm, &vm->retval);
+
+        /* TODO: get rid of copying. */
+
+        njs_value_assign(&dst, &vm->retval);
+        (void) njs_error_stack_attach(vm, &dst);
+        njs_value_assign(&vm->retval, &dst);
     }
 
     for ( ;; ) {

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 46a0ea8893ee79efc970fc409e39d8ff534792f1..beb2cea668146aab50ad531e27aaf17d4032f00e 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -23122,6 +23122,12 @@ static njs_unit_test_t  njs_backtraces_test[] =
     { njs_str("function f(n) { if (n == 0) { throw 'a'; } return f(n-1); }; f(2)"),
       njs_str("a") },
 
+    { njs_str("Object.defineProperty(Function.__proto__, 'name', {get() { typeof 1;}});"
+              "(new Uint8Array()).every()"),
+      njs_str("TypeError: callback argument is not callable\n"
+              "    at TypedArray.prototype.every (native)\n"
+              "    at main (:1)\n") },
+
     /* line numbers */
 
     { njs_str("/**/(function(){throw Error();})()"),