[Webkit-unassigned] [Bug 258753] New: Undefined behavior in JSC's tryConvertToInt52()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 30 15:50:51 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=258753
Bug ID: 258753
Summary: Undefined behavior in JSC's tryConvertToInt52()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: cdumez at apple.com
Undefined behavior in JSC's tryConvertToInt52():
```
inline int64_t tryConvertToInt52(double number)
{
if (number != number)
return JSValue::notInt52;
#if OS(WINDOWS) && CPU(X86)
// The VS Compiler for 32-bit builds generates a floating point error when attempting to cast
// from an infinity to a 64-bit integer. We leave this routine with the floating point error
// left in a register, causing undefined behavior in later floating point operations.
//
// To avoid this issue, we check for infinity here, and return false in that case.
if (std::isinf(number))
return JSValue::notInt52;
#endif
int64_t asInt64 = static_cast<int64_t>(number);
```
UBSan says:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior runtime/CommonSlowPaths.cpp:495:57 in
/Volumes/Work/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:636:44: runtime error: inf is outside the range of representable values of type 'long long'
```
Casting a number (which may be infinite) to a int64_t is Undefined Behavior and may in theory crash.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230630/776e362b/attachment.htm>
More information about the webkit-unassigned
mailing list