Changeset 203925 in webkit


Ignore:
Timestamp:
Jul 29, 2016 4:42:08 PM (8 years ago)
Author:
commit-queue@webkit.org
Message:

Undefined Behavior in JSValue cast from NaN
https://bugs.webkit.org/show_bug.cgi?id=160322

Patch by Jonathan Bedard <Jonathan Bedard> on 2016-07-29
Reviewed by Mark Lam.

JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.

In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
to int32_t occurs. While the subsequent if statement should fail and construct the JSValue through the explicit
double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
suppressing of any other bugs which may be instantiating a JSValue with a NaN double.

  • runtime/JSCJSValueInlines.h:

(JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r203923 r203925  
     12016-07-29  Jonathan Bedard  <jbedard@apple.com>
     2
     3        Undefined Behavior in JSValue cast from NaN
     4        https://bugs.webkit.org/show_bug.cgi?id=160322
     5
     6        Reviewed by Mark Lam.
     7
     8        JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
     9
     10        In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
     11        to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
     12        double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
     13        should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
     14        suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
     15
     16        * runtime/JSCJSValueInlines.h:
     17        (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
     18
    1192016-07-29  Michael Saboff  <msaboff@apple.com>
    220

  • trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

    r203895 r203925  
    7171inline JSValue jsNaN()
    7272{
    73     return JSValue(PNaN);
     73    return JSValue(JSValue::EncodeAsDouble, PNaN);
    7474}
    7575
     
    141141inline JSValue::JSValue(double d)
    142142{
     143    // Note: while this behavior is undefined for NaN and inf, the subsequent statement will catch these cases.
    143144    const int32_t asInt32 = static_cast<int32_t>(d);
    144145    if (asInt32 != d || (!asInt32 && std::signbit(d))) { // true for -0.0
Note: See TracChangeset for help on using the changeset viewer.