| Summary: | various math operations don't properly check for an exception after calling toNumber() on the lhs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | benjamin, commit-queue, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, ticaiolima, ysuzuki | ||||
| Priority: | P2 | ||||||
| Version: | WebKit Local Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Saam Barati
2016-07-24 20:39:05 PDT
Created attachment 285460 [details]
patch
Comment on attachment 285460 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=285460&action=review r=me. > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:441 > RETURN_WITH_PROFILING(result, { Is it acceptable to update the ArithProfile here based on a wrong result if right.toNumber() throws? > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:456 > RETURN_WITH_PROFILING(result, { Ditto. Comment on attachment 285460 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=285460&action=review >> Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:441 >> RETURN_WITH_PROFILING(result, { > > Is it acceptable to update the ArithProfile here based on a wrong result if right.toNumber() throws? It is always OK to update it. However, this code isn't actually doing that. RETURN_WITH_PROFILING always does CHECK_EXCEPTION before updating the profile. Comment on attachment 285460 [details]
patch
Thanks for the review
Comment on attachment 285460 [details] patch Clearing flags on attachment: 285460 Committed r204206: <http://trac.webkit.org/changeset/204206> All reviewed patches have been landed. Closing bug. |