Modified: trunk/JSTests/ChangeLog (225442 => 225443)
--- trunk/JSTests/ChangeLog 2017-12-02 05:39:30 UTC (rev 225442)
+++ trunk/JSTests/ChangeLog 2017-12-02 05:44:04 UTC (rev 225443)
@@ -1,5 +1,17 @@
2017-12-01 JF Bastien <[email protected]>
+ _javascript_Core: missing exception checks in Math functions that take more than one argument
+ https://bugs.webkit.org/show_bug.cgi?id=180297
+ <rdar://problem/35745556>
+
+ Reviewed by Mark Lam.
+
+ * stress/math-exceptions.js: Added.
+ (get try):
+ (catch):
+
+2017-12-01 JF Bastien <[email protected]>
+
_javascript_Core: add test for weird class static getters
https://bugs.webkit.org/show_bug.cgi?id=180281
<rdar://problem/35592139>
Added: trunk/JSTests/stress/math-exceptions.js (0 => 225443)
--- trunk/JSTests/stress/math-exceptions.js (rev 0)
+++ trunk/JSTests/stress/math-exceptions.js 2017-12-02 05:44:04 UTC (rev 225443)
@@ -0,0 +1,47 @@
+const foo = new Proxy({}, {
+ get() { throw 0xc0defefe; }
+});
+
+const bar = new Proxy({}, {
+ get() { throw 0xdeadbeef; }
+});
+
+const check = value => {
+ if (value !== 0xc0defefe)
+ throw new Error(`bad ${value}!`);
+}
+
+try { Math.acos(foo, bar); } catch (e) { check(e); }
+try { Math.acosh(foo, bar); } catch (e) { check(e); }
+try { Math.asin(foo, bar); } catch (e) { check(e); }
+try { Math.asinh(foo, bar); } catch (e) { check(e); }
+try { Math.atan(foo, bar); } catch (e) { check(e); }
+try { Math.atanh(foo, bar); } catch (e) { check(e); }
+try { Math.atan2(foo, bar); } catch (e) { check(e); }
+try { Math.cbrt(foo, bar); } catch (e) { check(e); }
+try { Math.ceil(foo, bar); } catch (e) { check(e); }
+try { Math.clz32(foo, bar); } catch (e) { check(e); }
+try { Math.cos(foo, bar); } catch (e) { check(e); }
+try { Math.cosh(foo, bar); } catch (e) { check(e); }
+try { Math.exp(foo, bar); } catch (e) { check(e); }
+try { Math.expm1(foo, bar); } catch (e) { check(e); }
+try { Math.floor(foo, bar); } catch (e) { check(e); }
+try { Math.fround(foo, bar); } catch (e) { check(e); }
+try { Math.hypot(foo, bar); } catch (e) { check(e); }
+try { Math.imul(foo, bar); } catch (e) { check(e); }
+try { Math.log(foo, bar); } catch (e) { check(e); }
+try { Math.log1p(foo, bar); } catch (e) { check(e); }
+try { Math.log10(foo, bar); } catch (e) { check(e); }
+try { Math.log2(foo, bar); } catch (e) { check(e); }
+try { Math.max(foo, bar); } catch (e) { check(e); }
+try { Math.min(foo, bar); } catch (e) { check(e); }
+try { Math.pow(foo, bar); } catch (e) { check(e); }
+Math.random(foo, bar);
+try { Math.round(foo, bar); } catch (e) { check(e); }
+try { Math.sign(foo, bar); } catch (e) { check(e); }
+try { Math.sin(foo, bar); } catch (e) { check(e); }
+try { Math.sinh(foo, bar); } catch (e) { check(e); }
+try { Math.sqrt(foo, bar); } catch (e) { check(e); }
+try { Math.tan(foo, bar); } catch (e) { check(e); }
+try { Math.tanh(foo, bar); } catch (e) { check(e); }
+try { Math.trunc(foo, bar); } catch (e) { check(e); }
Modified: trunk/Source/_javascript_Core/ChangeLog (225442 => 225443)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-02 05:39:30 UTC (rev 225442)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-02 05:44:04 UTC (rev 225443)
@@ -1,3 +1,17 @@
+2017-12-01 JF Bastien <[email protected]>
+
+ _javascript_Core: missing exception checks in Math functions that take more than one argument
+ https://bugs.webkit.org/show_bug.cgi?id=180297
+ <rdar://problem/35745556>
+
+ Reviewed by Mark Lam.
+
+ * runtime/MathObject.cpp:
+ (JSC::mathProtoFuncATan2):
+ (JSC::mathProtoFuncMax):
+ (JSC::mathProtoFuncMin):
+ (JSC::mathProtoFuncPow):
+
2017-12-01 Mark Lam <[email protected]>
Let's scramble ClassInfo pointers in cells.
Modified: trunk/Source/_javascript_Core/runtime/MathObject.cpp (225442 => 225443)
--- trunk/Source/_javascript_Core/runtime/MathObject.cpp 2017-12-02 05:39:30 UTC (rev 225442)
+++ trunk/Source/_javascript_Core/runtime/MathObject.cpp 2017-12-02 05:44:04 UTC (rev 225443)
@@ -149,8 +149,12 @@
EncodedJSValue JSC_HOST_CALL mathProtoFuncATan2(ExecState* exec)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
double arg0 = exec->argument(0).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
double arg1 = exec->argument(1).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
return JSValue::encode(jsDoubleNumber(atan2(arg0, arg1)));
}
@@ -220,10 +224,13 @@
EncodedJSValue JSC_HOST_CALL mathProtoFuncMax(ExecState* exec)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
unsigned argsCount = exec->argumentCount();
double result = -std::numeric_limits<double>::infinity();
for (unsigned k = 0; k < argsCount; ++k) {
double val = exec->uncheckedArgument(k).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
if (std::isnan(val)) {
result = PNaN;
} else if (val > result || (!val && !result && !std::signbit(val)))
@@ -234,10 +241,13 @@
EncodedJSValue JSC_HOST_CALL mathProtoFuncMin(ExecState* exec)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
unsigned argsCount = exec->argumentCount();
double result = +std::numeric_limits<double>::infinity();
for (unsigned k = 0; k < argsCount; ++k) {
double val = exec->uncheckedArgument(k).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
if (std::isnan(val)) {
result = PNaN;
} else if (val < result || (!val && !result && std::signbit(val)))
@@ -250,8 +260,13 @@
{
// ECMA 15.8.2.1.13
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
double arg = exec->argument(0).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
double arg2 = exec->argument(1).toNumber(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
return JSValue::encode(JSValue(operationMathPow(arg, arg2)));
}
