Bug 15878
| Summary: | JavaScriptCore calls toNumber w/o checking for an exception | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Eric Seidel (no email) <eric> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
Eric Seidel (no email)
JavaScriptCore calls toNumber w/o checking for an exception
toNumber calls toPrimative, which calls .toString or .valueOf, both of which could be overriden to throw (or have other side effects.
For example the following code should only show one alert, but I'm guessing (by code inspection) it shows 2 in webkit:
var myObject = new Object;
myObject.__proto__ = { valueOf: function() { alert("foo"); throw "foobar"; } }
var bar = myObject + myObject;
alert("Not reached.");
(assuming I got my js right above...) I've not tested other browsers, so this is really a speculative bug.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Eric Seidel (no email)
Ha! Funny, right after I filed this, I wrote up bug 15879 which actually fixes this issue partially (at least for MultNode. :)
Eric Seidel (no email)
A bunch of this just got fixed when bug 15879 landed as r27589. I'm certain there are still examples of this which can be seen using some js.
Oliver Hunt
I am aware of no cases where we don't do the correctly (and i made some fairly large and chunky tests for these types of things for squirrelfish)