Changeset 166876 in webkit

Timestamp:

Apr 7, 2014 11:24:31 AM (10 years ago)

Author:

mark.lam@apple.com

Message:

Date object needs to check for ES5 15.9.1.14 TimeClip limit.
<​https://webkit.org/b/131248>

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:

The current Date object code does not adequately check for the ES5
15.9.1.14 TimeClip limit. As a result, some calculations can underflow
/ overflow and produce unexpected results.

For example, we were getting an assertion failure in
WTF::equivalentYearForDST() due int underflows in this function, which
in turn were due to an int overflow in WTF::msToYear().

This patch adds the needed checks, and adds some assertions to ensure
that the used values are sane.

The changes have no noticeable impact on benchmark results.

• runtime/DateConstructor.cpp:

(JSC::callDate):

• runtime/JSDateMath.cpp:

(JSC::localTimeOffset):
(JSC::gregorianDateTimeToMS):
(JSC::msToGregorianDateTime):
(JSC::parseDateFromNullTerminatedCharacters):
(JSC::parseDate):

• runtime/JSDateMath.h:
• parseDateFromNullTerminatedCharacters() does not need to be public. Made it a static function.
• runtime/VM.cpp:

(JSC::VM::resetDateCache):

• Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN() to be consistent with other Date code.

Source/WTF:

• wtf/DateMath.cpp:
• Moved the definition of maxECMAScriptTime to the .h file so that we can use it in other files as well.

(WTF::msToYear):

• Removed a stale comment for parseDateFromNullTerminatedCharacters().
• wtf/DateMath.h:

LayoutTests:

• js/regress-131248-expected.txt: Added.
• js/regress-131248.html: Added.
• js/script-tests/regress-131248.js: Added.

(testDateFromSetDateAdjustement):
(testDateFromSetTimeWithMilliseconds):
(testDateFromString):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress-131248-expected.txt (added)
• LayoutTests/js/regress-131248.html (added)
• LayoutTests/js/script-tests/regress-131248.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/DateConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSDateMath.cpp (modified) (7 diffs)
• Source/JavaScriptCore/runtime/JSDateMath.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/DateMath.cpp (modified) (5 diffs)
• Source/WTF/wtf/DateMath.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-04-04  Mark Lam  <mark.lam@apple.com>
+
+        Date object needs to check for ES5 15.9.1.14 TimeClip limit.
+        <https://webkit.org/b/131248>
+
+        Reviewed by Mark Hahnenberg.
+
+        * js/regress-131248-expected.txt: Added.
+        * js/regress-131248.html: Added.
+        * js/script-tests/regress-131248.js: Added.
+        (testDateFromSetDateAdjustement):
+        (testDateFromSetTimeWithMilliseconds):
+        (testDateFromString):
+
 2014-04-07  Sergio Villar Senin  <svillar@igalia.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-04-04  Mark Lam  <mark.lam@apple.com>
+
+        Date object needs to check for ES5 15.9.1.14 TimeClip limit.
+        <https://webkit.org/b/131248>
+
+        Reviewed by Mark Hahnenberg.
+
+        The current Date object code does not adequately check for the ES5
+        15.9.1.14 TimeClip limit.  As a result, some calculations can underflow
+        / overflow and produce unexpected results.
+
+        For example, we were getting an assertion failure in
+        WTF::equivalentYearForDST() due int underflows in this function, which
+        in turn were due to an int overflow in WTF::msToYear().
+
+        This patch adds the needed checks, and adds some assertions to ensure
+        that the used values are sane.
+
+        The changes have no noticeable impact on benchmark results.
+
+        * runtime/DateConstructor.cpp:
+        (JSC::callDate):
+        * runtime/JSDateMath.cpp:
+        (JSC::localTimeOffset):
+        (JSC::gregorianDateTimeToMS):
+        (JSC::msToGregorianDateTime):
+        (JSC::parseDateFromNullTerminatedCharacters):
+        (JSC::parseDate):
+        * runtime/JSDateMath.h:
+        - parseDateFromNullTerminatedCharacters() does not need to be public.
+          Made it a static function.
+        * runtime/VM.cpp:
+        (JSC::VM::resetDateCache):
+        - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
+          to be consistent with other Date code.
+
 2014-04-06  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004, 2005, 2006, 2007, 2008, 2011 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2008, 2011, 2014 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -191 +191 @@
     VM& vm = exec->vm();
     GregorianDateTime ts;
-    msToGregorianDateTime(vm, currentTimeMS(), false, ts);
+
+    double currentTime = timeClip(currentTimeMS());
+    if (std::isnan(currentTime))
+        return JSValue::encode(jsNaN());
+    
+    msToGregorianDateTime(vm, currentTime, false, ts);
     return JSValue::encode(jsNontrivialString(&vm, formatDateTime(ts, DateTimeFormatDateAndTime, false)));
 }

trunk/Source/JavaScriptCore/runtime/JSDateMath.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2006, 2007, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2012, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Google Inc. All rights reserved.
  * Copyright (C) 2007-2009 Torch Mobile, Inc.
@@ -139 +139 @@
     double end = cache.end;
 
+    ASSERT(fabs(ms) <= WTF::maxECMAScriptTime);
     if (start <= ms) {
         // If the time fits in the cached interval, return the cached offset.
@@ -146 +147 @@
         double newEnd = end + cache.increment;
 
-        if (ms <= newEnd) {
+        if (ms <= newEnd && newEnd <= WTF::maxECMAScriptTime) {
             LocalTimeOffset endOffset = calculateLocalTimeOffset(newEnd);
             if (cache.offset == endOffset) {
@@ -195 +196 @@
     double result = (day * WTF::msPerDay) + ms;
 
+    if (fabs(result) > WTF::maxECMAScriptTime)
+        return std::numeric_limits<double>::quiet_NaN();
+
     if (!inputIsUTC)
         result -= localTimeOffset(vm, result).offset;
 
-    return result;
+    return timeClip(result);
 }
 
@@ -204 +208 @@
 void msToGregorianDateTime(VM& vm, double ms, bool outputIsUTC, GregorianDateTime& tm)
 {
+    ASSERT(fabs(ms) <= WTF::maxECMAScriptTime);
     LocalTimeOffset localTime;
     if (!outputIsUTC) {
@@ -223 +228 @@
 }
 
-double parseDateFromNullTerminatedCharacters(VM& vm, const char* dateString)
+static double parseDateFromNullTerminatedCharacters(VM& vm, const char* dateString)
 {
     bool haveTZ;
     int offset;
     double ms = WTF::parseDateFromNullTerminatedCharacters(dateString, haveTZ, offset);
-    if (std::isnan(ms))
-        return QNaN;
+    if (std::isnan(ms) || fabs(ms) > WTF::maxECMAScriptTime)
+        return std::numeric_limits<double>::quiet_NaN();
 
     // fall back to local timezone
@@ -245 +250 @@
     if (std::isnan(value))
         value = parseDateFromNullTerminatedCharacters(vm, date.utf8().data());
+    value = timeClip(value);
     vm.cachedDateString = date;
     vm.cachedDateStringValue = value;

trunk/Source/JavaScriptCore/runtime/JSDateMath.h

@@ -1 +1 @@
 /*
  * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Google Inc. All rights reserved.
  * Copyright (C) 2010 Research In Motion Limited. All rights reserved.
@@ -54 +54 @@
 double gregorianDateTimeToMS(VM&, const GregorianDateTime&, double, bool inputIsUTC);
 double getUTCOffset(VM&);
-double parseDateFromNullTerminatedCharacters(VM&, const char* dateString);
 double parseDate(VM&, const WTF::String&);
 

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -502 +502 @@
     localTimeOffsetCache.reset();
     cachedDateString = String();
-    cachedDateStringValue = QNaN;
+    cachedDateStringValue = std::numeric_limits<double>::quiet_NaN();
     dateInstanceCache.reset();
 }

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2014-04-04  Mark Lam  <mark.lam@apple.com>
+
+        Date object needs to check for ES5 15.9.1.14 TimeClip limit.
+        <https://webkit.org/b/131248>
+
+        Reviewed by Mark Hahnenberg.
+
+        * wtf/DateMath.cpp:
+        - Moved the definition of maxECMAScriptTime to the .h file so that we
+          can use it in other files as well.
+        (WTF::msToYear):
+        - Removed a stale comment for parseDateFromNullTerminatedCharacters().
+        * wtf/DateMath.h:
+
 2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>
 

trunk/Source/WTF/wtf/DateMath.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Google Inc. All rights reserved.
  * Copyright (C) 2007-2009 Torch Mobile, Inc.
@@ -110 +110 @@
 
 static const double maxUnixTime = 2145859200.0; // 12/31/2037
-// ECMAScript asks not to support for a date of which total
-// millisecond value is larger than the following value.
-// See 15.9.1.14 of ECMA-262 5th edition.
-static const double maxECMAScriptTime = 8.64E15;
 
 // Day of year for the first day of each month, where index 0 is January, and day 0 is January 1.
@@ -185 +181 @@
 int msToYear(double ms)
 {
+    ASSERT(fabs(ms) <= maxECMAScriptTime);
     int approxYear = static_cast<int>(floor(ms / (msPerDay * 365.2425)) + 1970);
     double msFromApproxYearTo1970 = msPerDay * daysFrom1970ToYear(approxYear);
@@ -331 +328 @@
 
 /*
- * Find an equivalent year for the one given, where equivalence is deterined by
+ * Find an equivalent year for the one given, where equivalence is determined by
  * the two years having the same leapness and the first day of the year, falling
  * on the same day of the week.
@@ -797 +794 @@
 }
 
-// Odd case where 'exec' is allowed to be 0, to accomodate a caller in WebCore.
 double parseDateFromNullTerminatedCharacters(const char* dateString, bool& haveTZ, int& offset)
 {

trunk/Source/WTF/wtf/DateMath.h

@@ -1 +1 @@
 /*
  * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Google Inc. All rights reserved.
  * Copyright (C) 2010 Research In Motion Limited. All rights reserved.
@@ -53 +53 @@
 
 namespace WTF {
+
+// ECMAScript asks not to support for a date of which total
+// millisecond value is larger than the following value.
+// See 15.9.1.14 of ECMA-262 5th edition.
+static const double maxECMAScriptTime = 8.64E15;
 
 struct LocalTimeOffset {