[Webkit-unassigned] [Bug 15878] New: JavaScriptCore calls toNumber w/o checking for an exception

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 6 23:34:58 PST 2007


http://bugs.webkit.org/show_bug.cgi?id=15878

           Summary: JavaScriptCore calls toNumber w/o checking for an
                    exception
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org


JavaScriptCore calls toNumber w/o checking for an exception

toNumber calls toPrimative, which calls .toString or .valueOf, both of which
could be overriden to throw (or have other side effects.

For example the following code should only show one alert, but I'm guessing (by
code inspection) it shows 2 in webkit:

var myObject = new Object;
myObject.__proto__ = { valueOf: function() { alert("foo"); throw "foobar"; } }

var bar = myObject + myObject;

alert("Not reached.");

(assuming I got my js right above...)  I've not tested other browsers, so this
is really a speculative bug.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list