RESOLVED FIXED 15878
JavaScriptCore calls toNumber w/o checking for an exception 
https://bugs.webkit.org/show_bug.cgi?id=15878
Summary JavaScriptCore calls toNumber w/o checking for an exception
Eric Seidel (no email)
Reported 2007-11-06 23:34:58 PST
JavaScriptCore calls toNumber w/o checking for an exception toNumber calls toPrimative, which calls .toString or .valueOf, both of which could be overriden to throw (or have other side effects. For example the following code should only show one alert, but I'm guessing (by code inspection) it shows 2 in webkit: var myObject = new Object; myObject.__proto__ = { valueOf: function() { alert("foo"); throw "foobar"; } } var bar = myObject + myObject; alert("Not reached."); (assuming I got my js right above...) I've not tested other browsers, so this is really a speculative bug.
Attachments
Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2007-11-07 00:11:02 PST
Ha! Funny, right after I filed this, I wrote up bug 15879 which actually fixes this issue partially (at least for MultNode. :)
Eric Seidel (no email)
Comment 2 2007-11-08 00:22:58 PST
A bunch of this just got fixed when bug 15879 landed as r27589. I'm certain there are still examples of this which can be seen using some js.
Oliver Hunt
Comment 3 2008-06-28 03:52:13 PDT
I am aware of no cases where we don't do the correctly (and i made some fairly large and chunky tests for these types of things for squirrelfish)
Note You need to log in before you can comment on or make changes to this bug.