From 41837f548df6f6cde6b798cf1421b2d2d1cabcfc Mon Sep 17 00:00:00 2001
From: Linus Groh <mail@linusgroh.de>
Date: Wed, 4 Nov 2020 09:48:48 +0000
Subject: LibJS: Don't create "valid" PropertyName from null string

When value.to_string() throws an exception it returns a null string in
which case we must not construct a valid PropertyName.

Also ASSERT in PropertyName(String) and PropertyName(FlyString) to
prevent this from happening in the future.

Fixes #3941.
---
 Libraries/LibJS/Runtime/PropertyName.h            |  8 +++++++-
 Libraries/LibJS/Tests/computed-property-throws.js | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

(limited to 'Libraries')

diff --git a/Libraries/LibJS/Runtime/PropertyName.h b/Libraries/LibJS/Runtime/PropertyName.h
index ab31b0fa4c..bbd6a0c640 100644
--- a/Libraries/LibJS/Runtime/PropertyName.h
+++ b/Libraries/LibJS/Runtime/PropertyName.h
@@ -48,7 +48,10 @@ public:
             return &value.as_symbol();
         if (value.is_integer() && value.as_i32() >= 0)
             return value.as_i32();
-        return value.to_string(global_object);
+        auto string = value.to_string(global_object);
+        if (string.is_null())
+            return {};
+        return string;
     }
 
     PropertyName() { }
@@ -70,18 +73,21 @@ public:
         : m_type(Type::String)
         , m_string(FlyString(string))
     {
+        ASSERT(!string.is_null());
     }
 
     PropertyName(const FlyString& string)
         : m_type(Type::String)
         , m_string(string)
     {
+        ASSERT(!string.is_null());
     }
 
     PropertyName(Symbol* symbol)
         : m_type(Type::Symbol)
         , m_symbol(symbol)
     {
+        ASSERT(symbol);
     }
 
     PropertyName(const StringOrSymbol& string_or_symbol)
diff --git a/Libraries/LibJS/Tests/computed-property-throws.js b/Libraries/LibJS/Tests/computed-property-throws.js
index 9c999c50e7..2f8e35eb63 100644
--- a/Libraries/LibJS/Tests/computed-property-throws.js
+++ b/Libraries/LibJS/Tests/computed-property-throws.js
@@ -6,3 +6,14 @@ test("Issue #3459, exception in computed property expression", () => {
         "foo"[bar]();
     }).toThrow(ReferenceError);
 });
+
+test("Issue #3941, exception in computed property's toString()", () => {
+    expect(() => {
+        const o = {
+            toString() {
+                throw Error();
+            },
+        };
+        "foo"[o];
+    }).toThrow(Error);
+});
-- 
cgit v1.2.3