[Webkit-unassigned] [Bug 160322] Undefined Behavior in JSValue cast from NaN
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 29 13:40:02 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160322
--- Comment #6 from Jonathan Bedard <jbedard at apple.com> ---
I will update the change log.
Before uploading a new patch, do we want to fix the undefined behavior in the case where NaN is passed into the JSValue constructor?
Casting a NaN to an int32_t is undefined behavior, however, if you take a look at JSCJSValueInlines.h, line 144, the cast int is immediately compared to the double which constructed it, meaning that the int is re-cast to a double.
If the original double is either NaN or infinity, this comparison will fail (the integer will not equal the value which constructed it) and the JSValue will default to it's explicit double constructor, which is safe behavior.
I only changed the explicit NaN creation because it had the advantage of both disambiguating the cast as well as eliminating a few unneeded instructions. Changing the double constructor will result in more instructions and no undefined behavior. That being said, even if one line of the code as it stands now has undefined behavior, the behavior of the constructor as a whole is defined.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160729/183c074f/attachment.html>
More information about the webkit-unassigned
mailing list