Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ce0c3918570d3601eb584ebe6d07ceeb75419bbf
https://github.com/WebKit/WebKit/commit/ce0c3918570d3601eb584ebe6d07ceeb75419bbf
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
A JSTests/stress/temporal-plaindate-from-reject-month-out-of-range.js
M Source/JavaScriptCore/runtime/TemporalCalendar.cpp
Log Message:
-----------
[JSC] Fix SIGSEGV in `Temporal.PlainDate.from` with out-of-range month and
`overflow: "reject"`
https://bugs.webkit.org/show_bug.cgi?id=309957
Reviewed by Yusuke Suzuki.
Temporal.PlainDate.from({year: 2000, month: 1e300, day: 1}, {overflow:
"reject"})
crashes with SIGSEGV. The same applies to PlainDateTime, PlainYearMonth, and
PlainMonthDay since they share isoDateFromFields().
The cause is that ISO8601::daysInMonth(year, month) is called before the month
range check. With "reject", the constrain clamp is skipped, so a double like
1e300 is implicitly converted to the uint8_t parameter (undefined behavior per
[conv.fpint]), and daysInMonths[...][month - 1] reads out of bounds.
Fix by moving the month range check before the daysInMonth() call. Also change
std::min<unsigned> to std::min<double> for the constrain clamps: the old code
relied on double-to-unsigned conversion of out-of-range values, which is also
undefined behavior and only happened to work on ARM64 due to saturation.
Test: JSTests/stress/temporal-plaindate-from-reject-month-out-of-range.js
* JSTests/stress/temporal-plaindate-from-reject-month-out-of-range.js: Added.
(shouldThrow):
(shouldBe):
(shouldThrow.Temporal.PlainMonthDay.from):
* Source/JavaScriptCore/runtime/TemporalCalendar.cpp:
(JSC::TemporalCalendar::isoDateFromFields):
Canonical link: https://commits.webkit.org/309519@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
