Bug 258753
| Summary: | Undefined behavior in JSC's tryConvertToInt52() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Chris Dumez
Undefined behavior in JSC's tryConvertToInt52():
```
inline int64_t tryConvertToInt52(double number)
{
if (number != number)
return JSValue::notInt52;
#if OS(WINDOWS) && CPU(X86)
// The VS Compiler for 32-bit builds generates a floating point error when attempting to cast
// from an infinity to a 64-bit integer. We leave this routine with the floating point error
// left in a register, causing undefined behavior in later floating point operations.
//
// To avoid this issue, we check for infinity here, and return false in that case.
if (std::isinf(number))
return JSValue::notInt52;
#endif
int64_t asInt64 = static_cast<int64_t>(number);
```
UBSan says:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior runtime/CommonSlowPaths.cpp:495:57 in
/Volumes/Work/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:636:44: runtime error: inf is outside the range of representable values of type 'long long'
```
Casting a number (which may be infinite) to a int64_t is Undefined Behavior and may in theory crash.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
Looks like we correctly deal with the undefined behavior on Windows x86, we may want to extend to all platforms.
Radar WebKit Bug Importer
<rdar://problem/111591919>