Title: [229000] releases/WebKitGTK/webkit-2.20
- Revision
- 229000
- Author
- [email protected]
- Date
- 2018-02-26 02:45:49 -0800 (Mon, 26 Feb 2018)
Log Message
Merge r228851 - Crash under JSC::JSCell::toNumber(JSC::ExecState*)
https://bugs.webkit.org/show_bug.cgi?id=182984
<rdar://problem/37694346>
Reviewed by Mark Lam.
Source/WebCore:
The issue was caused by DOMMatrix attributes potentially returning "impure"
NaN values. We would call JSC::jsNumber(double) to construct the JSValue
but this is only safe for pure NaN values. Make sure we purify the double
returned by the implementation for IDL attributes of type 'unrestricted double'
before calling JSC::jsNumber(double).
No new tests, extended existing test.
* bindings/js/JSDOMConvertNumbers.h:
(WebCore::JSConverter<IDLUnrestrictedDouble>::convert):
* testing/TypeConversions.h:
(WebCore::TypeConversions::testImpureNaNUnrestrictedDouble const):
(WebCore::TypeConversions::testImpureNaN2UnrestrictedDouble const):
(WebCore::TypeConversions::testQuietNaNUnrestrictedDouble const):
* testing/TypeConversions.idl:
LayoutTests:
Add layout test coverage.
* js/dom/webidl-type-mapping-expected.txt:
* js/dom/webidl-type-mapping.html:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog 2018-02-26 10:45:49 UTC (rev 229000)
@@ -1,3 +1,16 @@
+2018-02-20 Chris Dumez <[email protected]>
+
+ Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+ https://bugs.webkit.org/show_bug.cgi?id=182984
+ <rdar://problem/37694346>
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage.
+
+ * js/dom/webidl-type-mapping-expected.txt:
+ * js/dom/webidl-type-mapping.html:
+
2018-02-20 John Wilander <[email protected]>
Make WebResourceLoadStatisticsStore::processStatisticsAndDataRecords() call WebProcessProxy::notifyPageStatisticsAndDataRecordsProcessed() in a proper callback
Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping-expected.txt (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping-expected.txt 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping-expected.txt 2018-02-26 10:45:49 UTC (rev 229000)
@@ -1211,6 +1211,10 @@
PASS converter.setTestSequenceRecord({ 'Ä': ['value'] }) threw exception TypeError: Type error.
converter.setTestSequenceRecord({ 'ÿ': ['value'] })
PASS converter.testSequenceRecord()['ÿ'] is ['value']
+PASS converter.testImpureNaNUnrestrictedDouble is NaN
+PASS converter.testImpureNaN2UnrestrictedDouble is NaN
+PASS converter.testQuietNaNUnrestrictedDouble is NaN
+PASS converter.testPureNaNUnrestrictedDouble is NaN
PASS successfullyParsed is true
TEST COMPLETE
Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping.html (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping.html 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/js/dom/webidl-type-mapping.html 2018-02-26 10:45:49 UTC (rev 229000)
@@ -739,5 +739,10 @@
evalAndLog("converter.setTestSequenceRecord({ '\u00FF': ['value'] })");
shouldBe("converter.testSequenceRecord()['\u00FF']", "['value']");
+shouldBe("converter.testImpureNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testImpureNaN2UnrestrictedDouble", "NaN");
+shouldBe("converter.testQuietNaNUnrestrictedDouble", "NaN");
+shouldBe("converter.testPureNaNUnrestrictedDouble", "NaN");
+
</script>
<script src=""
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog 2018-02-26 10:45:49 UTC (rev 229000)
@@ -1,3 +1,27 @@
+2018-02-20 Chris Dumez <[email protected]>
+
+ Crash under JSC::JSCell::toNumber(JSC::ExecState*)
+ https://bugs.webkit.org/show_bug.cgi?id=182984
+ <rdar://problem/37694346>
+
+ Reviewed by Mark Lam.
+
+ The issue was caused by DOMMatrix attributes potentially returning "impure"
+ NaN values. We would call JSC::jsNumber(double) to construct the JSValue
+ but this is only safe for pure NaN values. Make sure we purify the double
+ returned by the implementation for IDL attributes of type 'unrestricted double'
+ before calling JSC::jsNumber(double).
+
+ No new tests, extended existing test.
+
+ * bindings/js/JSDOMConvertNumbers.h:
+ (WebCore::JSConverter<IDLUnrestrictedDouble>::convert):
+ * testing/TypeConversions.h:
+ (WebCore::TypeConversions::testImpureNaNUnrestrictedDouble const):
+ (WebCore::TypeConversions::testImpureNaN2UnrestrictedDouble const):
+ (WebCore::TypeConversions::testQuietNaNUnrestrictedDouble const):
+ * testing/TypeConversions.idl:
+
2018-02-19 Dean Jackson <[email protected]>
Handle all writing-modes in downcast
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMConvertNumbers.h (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMConvertNumbers.h 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMConvertNumbers.h 2018-02-26 10:45:49 UTC (rev 229000)
@@ -29,6 +29,7 @@
#include "JSDOMConvertBase.h"
#include "JSDOMExceptionHandling.h"
#include <_javascript_Core/JSCJSValueInlines.h>
+#include <_javascript_Core/PureNaN.h>
namespace WebCore {
@@ -383,13 +384,13 @@
static JSC::JSValue convert(Type value)
{
- return JSC::jsNumber(value);
+ return JSC::jsNumber(JSC::purifyNaN(value));
}
// Add overload for MediaTime.
static JSC::JSValue convert(MediaTime value)
{
- return JSC::jsNumber(value.toDouble());
+ return JSC::jsNumber(JSC::purifyNaN(value.toDouble()));
}
};
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.h (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.h 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.h 2018-02-26 10:45:49 UTC (rev 229000)
@@ -142,6 +142,11 @@
const TestTreatNullAsEmptyStringUnion& testTreatNullAsEmptyStringUnion() const { return m_treatNullAsEmptyStringUnion; }
void setTestTreatNullAsEmptyStringUnion(const TestTreatNullAsEmptyStringUnion& value) { m_treatNullAsEmptyStringUnion = value; }
+ double testImpureNaNUnrestrictedDouble() const { return bitwise_cast<double>(0xffff000000000000ll); }
+ double testImpureNaN2UnrestrictedDouble() const { return bitwise_cast<double>(0x7ff8000000000001ll); }
+ double testQuietNaNUnrestrictedDouble() const { return std::numeric_limits<double>::quiet_NaN(); }
+ double testPureNaNUnrestrictedDouble() const { return JSC::pureNaN(); }
+
private:
TypeConversions() = default;
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.idl (228999 => 229000)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.idl 2018-02-26 10:45:40 UTC (rev 228999)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/testing/TypeConversions.idl 2018-02-26 10:45:49 UTC (rev 229000)
@@ -56,6 +56,11 @@
attribute [EnforceRange] unsigned long long testEnforceRangeUnsignedLongLong;
attribute [Clamp] unsigned long long testClampUnsignedLongLong;
+ readonly attribute unrestricted double testImpureNaNUnrestrictedDouble;
+ readonly attribute unrestricted double testImpureNaN2UnrestrictedDouble;
+ readonly attribute unrestricted double testQuietNaNUnrestrictedDouble;
+ readonly attribute unrestricted double testPureNaNUnrestrictedDouble;
+
attribute DOMString testString;
attribute ByteString testByteString;
attribute USVString testUSVString;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
