Bug 258753 - Undefined behavior in JSC's tryConvertToInt52()
Summary: Undefined behavior in JSC's tryConvertToInt52()
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-06-30 15:50 PDT by Chris Dumez
Modified: 2023-06-30 15:53 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2023-06-30 15:50:51 PDT 
Undefined behavior in JSC's tryConvertToInt52():
```
inline int64_t tryConvertToInt52(double number)
{
    if (number != number)
        return JSValue::notInt52;
#if OS(WINDOWS) && CPU(X86)
    // The VS Compiler for 32-bit builds generates a floating point error when attempting to cast
    // from an infinity to a 64-bit integer. We leave this routine with the floating point error
    // left in a register, causing undefined behavior in later floating point operations.
    //
    // To avoid this issue, we check for infinity here, and return false in that case.
    if (std::isinf(number))
        return JSValue::notInt52;
#endif
    int64_t asInt64 = static_cast<int64_t>(number);
```

UBSan says:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior runtime/CommonSlowPaths.cpp:495:57 in
/Volumes/Work/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:636:44: runtime error: inf is outside the range of representable values of type 'long long'
```

Casting a number (which may be infinite) to a int64_t is Undefined Behavior and may in theory crash.
Comment 1 Chris Dumez 2023-06-30 15:52:21 PDT 
Looks like we correctly deal with the undefined behavior on Windows x86, we may want to extend to all platforms.
Comment 2 Radar WebKit Bug Importer 2023-06-30 15:53:49 PDT 
<rdar://problem/111591919>