Context Navigation

← Previous Change
Next Change →

MathObject.cpp

Timestamp:

Dec 1, 2017, 9:44:04 PM (7 years ago)

Author:

Message:

JavaScriptCore: missing exception checks in Math functions that take more than one argument
https://bugs.webkit.org/show_bug.cgi?id=180297
<rdar://problem/35745556>

Reviewed by Mark Lam.

JSTests:

stress/math-exceptions.js: Added.

(get try):
(catch):

Source/JavaScriptCore:

runtime/MathObject.cpp:

(JSC::mathProtoFuncATan2):
(JSC::mathProtoFuncMax):
(JSC::mathProtoFuncMin):
(JSC::mathProtoFuncPow):

File:

: 1 edited

trunk/Source/JavaScriptCore/runtime/MathObject.cpp (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/runtime/MathObject.cpp

-              r222473
+              r225443
 EncodedJSValue JSC_HOST_CALL mathProtoFuncATan2(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     double arg0 = exec->argument(0).toNumber(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     double arg1 = exec->argument(1).toNumber(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(jsDoubleNumber(atan2(arg0, arg1)));
+}
 …
 EncodedJSValue JSC_HOST_CALL mathProtoFuncMax(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     unsigned argsCount = exec->argumentCount();
     double result = -std::numeric_limits<double>::infinity();
     for (unsigned k = 0; k < argsCount; ++k) {
         double val = exec->uncheckedArgument(k).toNumber(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
         if (std::isnan(val)) {
             result = PNaN;
 …
 EncodedJSValue JSC_HOST_CALL mathProtoFuncMin(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     unsigned argsCount = exec->argumentCount();
     double result = +std::numeric_limits<double>::infinity();
     for (unsigned k = 0; k < argsCount; ++k) {
         double val = exec->uncheckedArgument(k).toNumber(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
         if (std::isnan(val)) {
             result = PNaN;
 …
     // ECMA 15.8.2.1.13
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     double arg = exec->argument(0).toNumber(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     double arg2 = exec->argument(1).toNumber(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(JSValue(operationMathPow(arg, arg2)));

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 225443 in webkit for trunk/Source/JavaScriptCore/runtime/MathObject.cpp

Legend:

trunk/Source/JavaScriptCore/runtime/MathObject.cpp

Download in other formats: