[webkit-changes] [228873] branches/safari-605-branch

Wed, 21 Feb 2018 08:35:42 -0800

Title: [228873] branches/safari-605-branch

Diff

Modified: branches/safari-605-branch/LayoutTests/ChangeLog (228872 => 228873)


--- branches/safari-605-branch/LayoutTests/ChangeLog	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/LayoutTests/ChangeLog	2018-02-21 16:35:21 UTC (rev 228873)
@@ -1,5 +1,22 @@
 2018-02-21  Jason Marcell  <[email protected]>
 
+        Cherry-pick r228851. rdar://problem/37734494
+
+    2018-02-20  Chris Dumez  <[email protected]>
+
+            Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+            https://bugs.webkit.org/show_bug.cgi?id=182984
+            <rdar://problem/37694346>
+
+            Reviewed by Mark Lam.
+
+            Add layout test coverage.
+
+            * js/dom/webidl-type-mapping-expected.txt:
+            * js/dom/webidl-type-mapping.html:
+
+2018-02-21  Jason Marcell  <[email protected]>
+
         Cherry-pick r228857. rdar://problem/37734496
 
     2018-02-20  Nan Wang  <[email protected]>

Modified: branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping-expected.txt (228872 => 228873)


--- branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping-expected.txt	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping-expected.txt	2018-02-21 16:35:21 UTC (rev 228873)
@@ -1211,6 +1211,10 @@
 PASS converter.setTestSequenceRecord({ 'Ā': ['value'] }) threw exception TypeError: Type error.
 converter.setTestSequenceRecord({ 'ÿ': ['value'] })
 PASS converter.testSequenceRecord()['ÿ'] is ['value']
+PASS converter.testImpureNaNUnrestrictedDouble is NaN
+PASS converter.testImpureNaN2UnrestrictedDouble is NaN
+PASS converter.testQuietNaNUnrestrictedDouble is NaN
+PASS converter.testPureNaNUnrestrictedDouble is NaN
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping.html (228872 => 228873)


--- branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping.html	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/LayoutTests/js/dom/webidl-type-mapping.html	2018-02-21 16:35:21 UTC (rev 228873)
@@ -739,5 +739,10 @@
 evalAndLog("converter.setTestSequenceRecord({ '\u00FF': ['value'] })");
 shouldBe("converter.testSequenceRecord()['\u00FF']", "['value']");
 
+shouldBe("converter.testImpureNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testImpureNaN2UnrestrictedDouble", "NaN");
+shouldBe("converter.testQuietNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testPureNaNUnrestrictedDouble", "NaN");
+
 </script>
 <script src=""

Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (228872 => 228873)


--- branches/safari-605-branch/Source/WebCore/ChangeLog	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog	2018-02-21 16:35:21 UTC (rev 228873)
@@ -1,5 +1,33 @@
 2018-02-21  Jason Marcell  <[email protected]>
 
+        Cherry-pick r228851. rdar://problem/37734494
+
+    2018-02-20  Chris Dumez  <[email protected]>
+
+            Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+            https://bugs.webkit.org/show_bug.cgi?id=182984
+            <rdar://problem/37694346>
+
+            Reviewed by Mark Lam.
+
+            The issue was caused by DOMMatrix attributes potentially returning "impure"
+            NaN values. We would call JSC::jsNumber(double) to construct the JSValue
+            but this is only safe for pure NaN values. Make sure we purify the double
+            returned by the implementation for IDL attributes of type 'unrestricted double'
+            before calling JSC::jsNumber(double).
+
+            No new tests, extended existing test.
+
+            * bindings/js/JSDOMConvertNumbers.h:
+            (WebCore::JSConverter<IDLUnrestrictedDouble>::convert):
+            * testing/TypeConversions.h:
+            (WebCore::TypeConversions::testImpureNaNUnrestrictedDouble const):
+            (WebCore::TypeConversions::testImpureNaN2UnrestrictedDouble const):
+            (WebCore::TypeConversions::testQuietNaNUnrestrictedDouble const):
+            * testing/TypeConversions.idl:
+
+2018-02-21  Jason Marcell  <[email protected]>
+
         Cherry-pick r228857. rdar://problem/37734496
 
     2018-02-20  Nan Wang  <[email protected]>

Modified: branches/safari-605-branch/Source/WebCore/bindings/js/JSDOMConvertNumbers.h (228872 => 228873)


--- branches/safari-605-branch/Source/WebCore/bindings/js/JSDOMConvertNumbers.h	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/Source/WebCore/bindings/js/JSDOMConvertNumbers.h	2018-02-21 16:35:21 UTC (rev 228873)
@@ -29,6 +29,7 @@
 #include "JSDOMConvertBase.h"
 #include "JSDOMExceptionHandling.h"
 #include <runtime/JSCJSValueInlines.h>
+#include <_javascript_Core/PureNaN.h>
 
 namespace WebCore {
 
@@ -383,13 +384,13 @@
 
     static JSC::JSValue convert(Type value)
     {
-        return JSC::jsNumber(value);
+        return JSC::jsNumber(JSC::purifyNaN(value));
     }
 
     // Add overload for MediaTime.
     static JSC::JSValue convert(MediaTime value)
     {
-        return JSC::jsNumber(value.toDouble());
+        return JSC::jsNumber(JSC::purifyNaN(value.toDouble()));
     }
 };

Modified: branches/safari-605-branch/Source/WebCore/testing/TypeConversions.h (228872 => 228873)


--- branches/safari-605-branch/Source/WebCore/testing/TypeConversions.h	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/Source/WebCore/testing/TypeConversions.h	2018-02-21 16:35:21 UTC (rev 228873)
@@ -142,6 +142,11 @@
     const TestTreatNullAsEmptyStringUnion& testTreatNullAsEmptyStringUnion() const { return m_treatNullAsEmptyStringUnion; }
     void setTestTreatNullAsEmptyStringUnion(const TestTreatNullAsEmptyStringUnion& value) { m_treatNullAsEmptyStringUnion = value; }
 
+    double testImpureNaNUnrestrictedDouble() const { return bitwise_cast<double>(0xffff000000000000ll); }
+    double testImpureNaN2UnrestrictedDouble() const { return bitwise_cast<double>(0x7ff8000000000001ll); }
+    double testQuietNaNUnrestrictedDouble() const { return std::numeric_limits<double>::quiet_NaN(); }
+    double testPureNaNUnrestrictedDouble() const { return JSC::pureNaN(); }
+
 private:
     TypeConversions() = default;

Modified: branches/safari-605-branch/Source/WebCore/testing/TypeConversions.idl (228872 => 228873)


--- branches/safari-605-branch/Source/WebCore/testing/TypeConversions.idl	2018-02-21 16:18:50 UTC (rev 228872)
+++ branches/safari-605-branch/Source/WebCore/testing/TypeConversions.idl	2018-02-21 16:35:21 UTC (rev 228873)
@@ -56,6 +56,11 @@
     attribute [EnforceRange] unsigned long long testEnforceRangeUnsignedLongLong;
     attribute [Clamp] unsigned long long testClampUnsignedLongLong;
 
+    readonly attribute unrestricted double testImpureNaNUnrestrictedDouble;
+    readonly attribute unrestricted double testImpureNaN2UnrestrictedDouble;
+    readonly attribute unrestricted double testQuietNaNUnrestrictedDouble;
+    readonly attribute unrestricted double testPureNaNUnrestrictedDouble;
+
     attribute DOMString testString;
     attribute ByteString testByteString;
     attribute USVString testUSVString;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to