Title: [282081] trunk
- Revision
- 282081
- Author
- [email protected]
- Date
- 2021-09-07 06:52:05 -0700 (Tue, 07 Sep 2021)
Log Message
Math.hypot checks for infinite values prematurely
https://bugs.webkit.org/show_bug.cgi?id=229843
Reviewed by Ross Kirsling.
JSTests:
* stress/math-hypot-evaluation-ordering.js: Added.
(shouldThrow):
Source/_javascript_Core:
According to the spec[1], we should throw an error about non finite argument after coercing all arguments to doubles.
[1]: https://tc39.es/ecma262/#sec-math.hypot
* runtime/MathObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (282080 => 282081)
--- trunk/JSTests/ChangeLog 2021-09-07 12:00:47 UTC (rev 282080)
+++ trunk/JSTests/ChangeLog 2021-09-07 13:52:05 UTC (rev 282081)
@@ -1,3 +1,13 @@
+2021-09-07 Yusuke Suzuki <[email protected]>
+
+ Math.hypot checks for infinite values prematurely
+ https://bugs.webkit.org/show_bug.cgi?id=229843
+
+ Reviewed by Ross Kirsling.
+
+ * stress/math-hypot-evaluation-ordering.js: Added.
+ (shouldThrow):
+
2021-09-03 Yusuke Suzuki <[email protected]>
[JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
Added: trunk/JSTests/stress/math-hypot-evaluation-ordering.js (0 => 282081)
--- trunk/JSTests/stress/math-hypot-evaluation-ordering.js (rev 0)
+++ trunk/JSTests/stress/math-hypot-evaluation-ordering.js 2021-09-07 13:52:05 UTC (rev 282081)
@@ -0,0 +1,18 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+ Math.hypot({valueOf(){ return Infinity }}, {valueOf(){ throw new Error("arguments[1]") }})
+}, `Error: arguments[1]`);
Modified: trunk/Source/_javascript_Core/ChangeLog (282080 => 282081)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-07 12:00:47 UTC (rev 282080)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-07 13:52:05 UTC (rev 282081)
@@ -1,3 +1,17 @@
+2021-09-07 Yusuke Suzuki <[email protected]>
+
+ Math.hypot checks for infinite values prematurely
+ https://bugs.webkit.org/show_bug.cgi?id=229843
+
+ Reviewed by Ross Kirsling.
+
+ According to the spec[1], we should throw an error about non finite argument after coercing all arguments to doubles.
+
+ [1]: https://tc39.es/ecma262/#sec-math.hypot
+
+ * runtime/MathObject.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
2021-09-07 Adrian Perez de Castro <[email protected]>
Non-unified build fixes, early September 2021 edition
Modified: trunk/Source/_javascript_Core/runtime/MathObject.cpp (282080 => 282081)
--- trunk/Source/_javascript_Core/runtime/MathObject.cpp 2021-09-07 12:00:47 UTC (rev 282080)
+++ trunk/Source/_javascript_Core/runtime/MathObject.cpp 2021-09-07 13:52:05 UTC (rev 282081)
@@ -188,19 +188,26 @@
{
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
+
unsigned argsCount = callFrame->argumentCount();
- double max = 0;
Vector<double, 8> args;
args.reserveInitialCapacity(argsCount);
for (unsigned i = 0; i < argsCount; ++i) {
- args.uncheckedAppend(callFrame->uncheckedArgument(i).toNumber(globalObject));
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
- if (std::isinf(args[i]))
+ double argument = callFrame->uncheckedArgument(i).toNumber(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ args.uncheckedAppend(argument);
+ }
+
+ double max = 0;
+ for (double argument : args) {
+ if (std::isinf(argument))
return JSValue::encode(jsDoubleNumber(+std::numeric_limits<double>::infinity()));
- max = std::max(fabs(args[i]), max);
+ max = std::max(fabs(argument), max);
}
+
if (!max)
max = 1;
+
// Kahan summation algorithm significantly reduces the numerical error in the total obtained.
double sum = 0;
double compensation = 0;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
