Bug 704748: Save original object in stack slot for returning after constructor.

The object in the 'this' slot may be overwritten if the constructor converts it to a primitive value. Save the original object in an explicit stack slot to keep it safe for returning afterwards.
2026-02-05 17:29:43 +08:00 · 2021-12-06 15:54:04 +01:00
parent eed8a67a49
commit 78e56b7854
1 changed files with 6 additions and 1 deletions
--- a/jsrun.c
+++ b/jsrun.c
@@ -1195,13 +1195,18 @@ void js_construct(js_State *J, int n)
 	if (n > 0)
 		js_rot(J, n + 1);

+	/* and save a copy to return */
+	js_pushobject(J, newobj);
+	js_rot(J, n + 3);
+
 	/* call the function */
 	js_call(J, n);

 	/* if result is not an object, return the original object we created */
 	if (!js_isobject(J, -1)) {
 		js_pop(J, 1);
-		js_pushobject(J, newobj);
+	} else {
+		js_rot2pop1(J);
 	}
 }