[webkit-changes] [274271] trunk/Source/WebCore

Thu, 11 Mar 2021 01:11:24 -0800

Title: [274271] trunk/Source/WebCore
Revision
274271
Author
[email protected]
Date
2021-03-11 01:10:33 -0800 (Thu, 11 Mar 2021)

Log Message

[ macOS debug arm64 ]fast/dom/Range/compareBoundaryPoints-compareHow-exception.html is a constant text failure
https://bugs.webkit.org/show_bug.cgi?id=223050
<rdar://problem/75284949>

Reviewed by Ryosuke Niwa.

Casting a negative double to an unsigned integer type is undefined behavior.
We need to make sure the double value is positive before casting.

No new tests, covered by existing test.

* bindings/js/JSDOMConvertNumbers.cpp:
(WebCore::toSmallerUInt):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (274270 => 274271)


--- trunk/Source/WebCore/ChangeLog	2021-03-11 09:09:18 UTC (rev 274270)
+++ trunk/Source/WebCore/ChangeLog	2021-03-11 09:10:33 UTC (rev 274271)
@@ -1,3 +1,19 @@
+2021-03-11  Chris Dumez  <[email protected]>
+
+        [ macOS debug arm64 ]fast/dom/Range/compareBoundaryPoints-compareHow-exception.html is a constant text failure
+        https://bugs.webkit.org/show_bug.cgi?id=223050
+        <rdar://problem/75284949>
+
+        Reviewed by Ryosuke Niwa.
+
+        Casting a negative double to an unsigned integer type is undefined behavior.
+        We need to make sure the double value is positive before casting.
+
+        No new tests, covered by existing test.
+
+        * bindings/js/JSDOMConvertNumbers.cpp:
+        (WebCore::toSmallerUInt):
+
 2021-03-11  Sihui Liu  <[email protected]>
 
         Indexed DB transactions outdated immediately after it just created

Modified: trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.cpp (274270 => 274271)


--- trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.cpp	2021-03-11 09:09:18 UTC (rev 274270)
+++ trunk/Source/WebCore/bindings/js/JSDOMConvertNumbers.cpp	2021-03-11 09:10:33 UTC (rev 274271)
@@ -184,7 +184,10 @@
         return 0;
 
     x = x < 0 ? -floor(fabs(x)) : floor(fabs(x));
-    return static_cast<T>(fmod(x, LimitsTrait::numberOfValues));
+    x = fmod(x, LimitsTrait::numberOfValues);
+    if (x < 0)
+        x += LimitsTrait::numberOfValues;
+    return static_cast<T>(x);
 }
 
 template<> int8_t convertToIntegerEnforceRange<int8_t>(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to