Bug 15878 - JavaScriptCore calls toNumber w/o checking for an exception
Summary: JavaScriptCore calls toNumber w/o checking for an exception
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-06 23:34 PST by Eric Seidel (no email)
Modified: 2008-06-28 03:52 PDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2007-11-06 23:34:58 PST 
JavaScriptCore calls toNumber w/o checking for an exception

toNumber calls toPrimative, which calls .toString or .valueOf, both of which could be overriden to throw (or have other side effects.

For example the following code should only show one alert, but I'm guessing (by code inspection) it shows 2 in webkit:

var myObject = new Object;
myObject.__proto__ = { valueOf: function() { alert("foo"); throw "foobar"; } }

var bar = myObject + myObject;

alert("Not reached.");

(assuming I got my js right above...)  I've not tested other browsers, so this is really a speculative bug.
Comment 1 Eric Seidel (no email) 2007-11-07 00:11:02 PST 
Ha!  Funny, right after I filed this, I wrote up bug 15879 which actually fixes this issue partially (at least for MultNode. :)
Comment 2 Eric Seidel (no email) 2007-11-08 00:22:58 PST 
A bunch of this just got fixed when bug 15879 landed as r27589.  I'm certain there are still examples of this which can be seen using some js.
Comment 3 Oliver Hunt 2008-06-28 03:52:13 PDT 
I am aware of no cases where we don't do the correctly (and i made some fairly large and chunky tests for these types of things for squirrelfish)