| Summary: | Undefined behavior in JSC's tryConvertToInt52() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Looks like we correctly deal with the undefined behavior on Windows x86, we may want to extend to all platforms. |
Undefined behavior in JSC's tryConvertToInt52(): ``` inline int64_t tryConvertToInt52(double number) { if (number != number) return JSValue::notInt52; #if OS(WINDOWS) && CPU(X86) // The VS Compiler for 32-bit builds generates a floating point error when attempting to cast // from an infinity to a 64-bit integer. We leave this routine with the floating point error // left in a register, causing undefined behavior in later floating point operations. // // To avoid this issue, we check for infinity here, and return false in that case. if (std::isinf(number)) return JSValue::notInt52; #endif int64_t asInt64 = static_cast<int64_t>(number); ``` UBSan says: ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior runtime/CommonSlowPaths.cpp:495:57 in /Volumes/Work/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:636:44: runtime error: inf is outside the range of representable values of type 'long long' ``` Casting a number (which may be infinite) to a int64_t is Undefined Behavior and may in theory crash.