Title: [228851] trunk
- Revision
- 228851
- Author
- [email protected]
- Date
- 2018-02-20 16:51:06 -0800 (Tue, 20 Feb 2018)
Log Message
Crash under JSC::JSCell::toNumber(JSC::ExecState*)
https://bugs.webkit.org/show_bug.cgi?id=182984
<rdar://problem/37694346>
Reviewed by Mark Lam.
Source/WebCore:
The issue was caused by DOMMatrix attributes potentially returning "impure"
NaN values. We would call JSC::jsNumber(double) to construct the JSValue
but this is only safe for pure NaN values. Make sure we purify the double
returned by the implementation for IDL attributes of type 'unrestricted double'
before calling JSC::jsNumber(double).
No new tests, extended existing test.
* bindings/js/JSDOMConvertNumbers.h:
(WebCore::JSConverter<IDLUnrestrictedDouble>::convert):
* testing/TypeConversions.h:
(WebCore::TypeConversions::testImpureNaNUnrestrictedDouble const):
(WebCore::TypeConversions::testImpureNaN2UnrestrictedDouble const):
(WebCore::TypeConversions::testQuietNaNUnrestrictedDouble const):
* testing/TypeConversions.idl:
LayoutTests:
Add layout test coverage.
* js/dom/webidl-type-mapping-expected.txt:
* js/dom/webidl-type-mapping.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (228850 => 228851)
--- trunk/LayoutTests/ChangeLog 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/LayoutTests/ChangeLog 2018-02-21 00:51:06 UTC (rev 228851)
@@ -1,3 +1,16 @@
+2018-02-20 Chris Dumez <[email protected]>
+
+ Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+ https://bugs.webkit.org/show_bug.cgi?id=182984
+ <rdar://problem/37694346>
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage.
+
+ * js/dom/webidl-type-mapping-expected.txt:
+ * js/dom/webidl-type-mapping.html:
+
2018-02-20 Ryan Haddad <[email protected]>
Mark two imported/w3c/web-platform-tests/2dcontext/imagebitmap tests as flaky on iOS.
Modified: trunk/LayoutTests/js/dom/webidl-type-mapping-expected.txt (228850 => 228851)
--- trunk/LayoutTests/js/dom/webidl-type-mapping-expected.txt 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/LayoutTests/js/dom/webidl-type-mapping-expected.txt 2018-02-21 00:51:06 UTC (rev 228851)
@@ -1211,6 +1211,10 @@
PASS converter.setTestSequenceRecord({ 'Ä': ['value'] }) threw exception TypeError: Type error.
converter.setTestSequenceRecord({ 'ÿ': ['value'] })
PASS converter.testSequenceRecord()['ÿ'] is ['value']
+PASS converter.testImpureNaNUnrestrictedDouble is NaN
+PASS converter.testImpureNaN2UnrestrictedDouble is NaN
+PASS converter.testQuietNaNUnrestrictedDouble is NaN
+PASS converter.testPureNaNUnrestrictedDouble is NaN
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/js/dom/webidl-type-mapping.html (228850 => 228851)
--- trunk/LayoutTests/js/dom/webidl-type-mapping.html 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/LayoutTests/js/dom/webidl-type-mapping.html 2018-02-21 00:51:06 UTC (rev 228851)
@@ -739,5 +739,10 @@
evalAndLog("converter.setTestSequenceRecord({ '\u00FF': ['value'] })");
shouldBe("converter.testSequenceRecord()['\u00FF']", "['value']");
+shouldBe("converter.testImpureNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testImpureNaN2UnrestrictedDouble", "NaN");
+shouldBe("converter.testQuietNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testPureNaNUnrestrictedDouble", "NaN");
+
</script>
<script src=""
Modified: trunk/Source/WebCore/ChangeLog (228850 => 228851)
--- trunk/Source/WebCore/ChangeLog 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/Source/WebCore/ChangeLog 2018-02-21 00:51:06 UTC (rev 228851)
@@ -1,3 +1,27 @@
+2018-02-20 Chris Dumez <[email protected]>
+
+ Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+ https://bugs.webkit.org/show_bug.cgi?id=182984
+ <rdar://problem/37694346>
+
+ Reviewed by Mark Lam.
+
+ The issue was caused by DOMMatrix attributes potentially returning "impure"
+ NaN values. We would call JSC::jsNumber(double) to construct the JSValue
+ but this is only safe for pure NaN values. Make sure we purify the double
+ returned by the implementation for IDL attributes of type 'unrestricted double'
+ before calling JSC::jsNumber(double).
+
+ No new tests, extended existing test.
+
+ * bindings/js/JSDOMConvertNumbers.h:
+ (WebCore::JSConverter<IDLUnrestrictedDouble>::convert):
+ * testing/TypeConversions.h:
+ (WebCore::TypeConversions::testImpureNaNUnrestrictedDouble const):
+ (WebCore::TypeConversions::testImpureNaN2UnrestrictedDouble const):
+ (WebCore::TypeConversions::testQuietNaNUnrestrictedDouble const):
+ * testing/TypeConversions.idl:
+
2018-02-20 Tim Horton <[email protected]>
Make more use of USE(OPENGL_ES) where it makes sense
Modified: trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.h (228850 => 228851)
--- trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.h 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.h 2018-02-21 00:51:06 UTC (rev 228851)
@@ -29,6 +29,7 @@
#include "JSDOMConvertBase.h"
#include "JSDOMExceptionHandling.h"
#include <_javascript_Core/JSCJSValueInlines.h>
+#include <_javascript_Core/PureNaN.h>
namespace WebCore {
@@ -383,13 +384,13 @@
static JSC::JSValue convert(Type value)
{
- return JSC::jsNumber(value);
+ return JSC::jsNumber(JSC::purifyNaN(value));
}
// Add overload for MediaTime.
static JSC::JSValue convert(MediaTime value)
{
- return JSC::jsNumber(value.toDouble());
+ return JSC::jsNumber(JSC::purifyNaN(value.toDouble()));
}
};
Modified: trunk/Source/WebCore/testing/TypeConversions.h (228850 => 228851)
--- trunk/Source/WebCore/testing/TypeConversions.h 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/Source/WebCore/testing/TypeConversions.h 2018-02-21 00:51:06 UTC (rev 228851)
@@ -142,6 +142,11 @@
const TestTreatNullAsEmptyStringUnion& testTreatNullAsEmptyStringUnion() const { return m_treatNullAsEmptyStringUnion; }
void setTestTreatNullAsEmptyStringUnion(const TestTreatNullAsEmptyStringUnion& value) { m_treatNullAsEmptyStringUnion = value; }
+ double testImpureNaNUnrestrictedDouble() const { return bitwise_cast<double>(0xffff000000000000ll); }
+ double testImpureNaN2UnrestrictedDouble() const { return bitwise_cast<double>(0x7ff8000000000001ll); }
+ double testQuietNaNUnrestrictedDouble() const { return std::numeric_limits<double>::quiet_NaN(); }
+ double testPureNaNUnrestrictedDouble() const { return JSC::pureNaN(); }
+
private:
TypeConversions() = default;
Modified: trunk/Source/WebCore/testing/TypeConversions.idl (228850 => 228851)
--- trunk/Source/WebCore/testing/TypeConversions.idl 2018-02-21 00:35:11 UTC (rev 228850)
+++ trunk/Source/WebCore/testing/TypeConversions.idl 2018-02-21 00:51:06 UTC (rev 228851)
@@ -56,6 +56,11 @@
attribute [EnforceRange] unsigned long long testEnforceRangeUnsignedLongLong;
attribute [Clamp] unsigned long long testClampUnsignedLongLong;
+ readonly attribute unrestricted double testImpureNaNUnrestrictedDouble;
+ readonly attribute unrestricted double testImpureNaN2UnrestrictedDouble;
+ readonly attribute unrestricted double testQuietNaNUnrestrictedDouble;
+ readonly attribute unrestricted double testPureNaNUnrestrictedDouble;
+
attribute DOMString testString;
attribute ByteString testByteString;
attribute USVString testUSVString;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
