[webkit-changes] [164373] trunk

Wed, 19 Feb 2014 10:54:20 -0800

Title: [164373] trunk
Revision
164373
Author
[email protected]
Date
2014-02-19 10:58:29 -0800 (Wed, 19 Feb 2014)

Log Message

ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
https://bugs.webkit.org/show_bug.cgi?id=128740

Source/_javascript_Core:

Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
DateConstructor will now check if the number fits into an Int32 before casting

Patch by Dániel Bátyai <[email protected]> on 2014-02-19
Reviewed by Geoffrey Garen.

* runtime/DateConstructor.cpp:
(JSC::constructDate):
(JSC::dateUTC):

LayoutTests:

Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
Added test case which checks for this

Patch by Dániel Bátyai <[email protected]> on 2014-02-19
Reviewed by Geoffrey Garen.

* js/date-constructor-expected.txt:
* js/script-tests/date-constructor.js:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (164372 => 164373)


--- trunk/LayoutTests/ChangeLog	2014-02-19 18:48:35 UTC (rev 164372)
+++ trunk/LayoutTests/ChangeLog	2014-02-19 18:58:29 UTC (rev 164373)
@@ -1,3 +1,16 @@
+2014-02-19  Dániel Bátyai  <[email protected]>
+
+        ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
+        https://bugs.webkit.org/show_bug.cgi?id=128740
+
+        Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
+        Added test case which checks for this
+
+        Reviewed by Geoffrey Garen.
+
+        * js/date-constructor-expected.txt:
+        * js/script-tests/date-constructor.js:
+
 2014-02-19  Thiago de Barros Lacerda  <[email protected]>
 
         [WebRTC] Updating RTCConfiguration to match WebRTC editor's draft of 01/27/2014

Modified: trunk/LayoutTests/js/date-constructor-expected.txt (164372 => 164373)


--- trunk/LayoutTests/js/date-constructor-expected.txt	2014-02-19 18:48:35 UTC (rev 164372)
+++ trunk/LayoutTests/js/date-constructor-expected.txt	2014-02-19 18:58:29 UTC (rev 164373)
@@ -32,6 +32,7 @@
 PASS Number(new Date(new Date(1, 1, 1, 1, 1, Infinity, 1, 1, 1)).getTime() - timeZoneOffset) is Number.NaN
 PASS Number(new Date(new Date(1, 1, 1, 1, 1, 1, Infinity, 1, 1)).getTime() - timeZoneOffset) is Number.NaN
 PASS Number(new Date(new Date(1, 1, 1, 1, 1, 1, 1, 1, Infinity)).getTime() - timeZoneOffset) is -2174770738999
+PASS new Date(6501480442020679337816440, 81696082856817131586190070, 1, 1, 1, 1, 1).getTime() is Number.NaN
 PASS testStr is "1234567"
 PASS testStr is "1234567"
 PASS successfullyParsed is true

Modified: trunk/LayoutTests/js/script-tests/date-constructor.js (164372 => 164373)


--- trunk/LayoutTests/js/script-tests/date-constructor.js	2014-02-19 18:48:35 UTC (rev 164372)
+++ trunk/LayoutTests/js/script-tests/date-constructor.js	2014-02-19 18:58:29 UTC (rev 164373)
@@ -44,6 +44,8 @@
 shouldBe("Number(new Date(new Date(1, 1, 1, 1, 1, 1, Infinity, 1, 1)).getTime() - timeZoneOffset)", 'Number.NaN');
 shouldBe("Number(new Date(new Date(1, 1, 1, 1, 1, 1, 1, 1, Infinity)).getTime() - timeZoneOffset)", '-2174770738999');
 
+shouldBe('new Date(6501480442020679337816440, 81696082856817131586190070, 1, 1, 1, 1, 1).getTime()', 'Number.NaN');
+
 // In Firefox, the results of the following tests are timezone-dependent, which likely implies that the implementation is not quite correct.
 // Our results are even worse, though, as the dates are clipped: (new Date(1111, 1201).getTime()) == (new Date(1111, 601).getTime())
 // shouldBe('new Date(1111, 1111, 1111, 1111, 1111, 1111, 1111, 1111).getTime() - timeZoneOffset', '-24085894227889');

Modified: trunk/Source/_javascript_Core/ChangeLog (164372 => 164373)


--- trunk/Source/_javascript_Core/ChangeLog	2014-02-19 18:48:35 UTC (rev 164372)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-02-19 18:58:29 UTC (rev 164373)
@@ -1,3 +1,17 @@
+2014-02-19  Dániel Bátyai  <[email protected]>
+
+        ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
+        https://bugs.webkit.org/show_bug.cgi?id=128740
+
+        Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
+        DateConstructor will now check if the number fits into an Int32 before casting
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        (JSC::dateUTC):
+
 2014-02-19  Mark Hahnenberg  <[email protected]>
 
         Dedicated worker crash caused by global DFG worklists + GC

Modified: trunk/Source/_javascript_Core/runtime/DateConstructor.cpp (164372 => 164373)


--- trunk/Source/_javascript_Core/runtime/DateConstructor.cpp	2014-02-19 18:48:35 UTC (rev 164372)
+++ trunk/Source/_javascript_Core/runtime/DateConstructor.cpp	2014-02-19 18:58:29 UTC (rev 164373)
@@ -148,13 +148,13 @@
             args.at(5).toNumber(exec), 
             args.at(6).toNumber(exec)
         };
-        if (!std::isfinite(doubleArguments[0])
-            || !std::isfinite(doubleArguments[1])
-            || (numArgs >= 3 && !std::isfinite(doubleArguments[2]))
-            || (numArgs >= 4 && !std::isfinite(doubleArguments[3]))
-            || (numArgs >= 5 && !std::isfinite(doubleArguments[4]))
-            || (numArgs >= 6 && !std::isfinite(doubleArguments[5]))
-            || (numArgs >= 7 && !std::isfinite(doubleArguments[6])))
+        if ((!std::isfinite(doubleArguments[0]) || (doubleArguments[0] > INT_MAX) || (doubleArguments[0] < INT_MIN))
+            || (!std::isfinite(doubleArguments[1]) || (doubleArguments[1] > INT_MAX) || (doubleArguments[1] < INT_MIN))
+            || (numArgs >= 3 && (!std::isfinite(doubleArguments[2]) || (doubleArguments[2] > INT_MAX) || (doubleArguments[2] < INT_MIN)))
+            || (numArgs >= 4 && (!std::isfinite(doubleArguments[3]) || (doubleArguments[3] > INT_MAX) || (doubleArguments[3] < INT_MIN)))
+            || (numArgs >= 5 && (!std::isfinite(doubleArguments[4]) || (doubleArguments[4] > INT_MAX) || (doubleArguments[4] < INT_MIN)))
+            || (numArgs >= 6 && (!std::isfinite(doubleArguments[5]) || (doubleArguments[5] > INT_MAX) || (doubleArguments[5] < INT_MIN)))
+            || (numArgs >= 7 && (!std::isfinite(doubleArguments[6]) || (doubleArguments[6] > INT_MAX) || (doubleArguments[6] < INT_MIN))))
             value = QNaN;
         else {
             GregorianDateTime t;
@@ -227,13 +227,13 @@
         exec->argument(6).toNumber(exec)
     };
     int n = exec->argumentCount();
-    if (std::isnan(doubleArguments[0])
-        || std::isnan(doubleArguments[1])
-        || (n >= 3 && std::isnan(doubleArguments[2]))
-        || (n >= 4 && std::isnan(doubleArguments[3]))
-        || (n >= 5 && std::isnan(doubleArguments[4]))
-        || (n >= 6 && std::isnan(doubleArguments[5]))
-        || (n >= 7 && std::isnan(doubleArguments[6])))
+    if ((std::isnan(doubleArguments[0]) || (doubleArguments[0] > INT_MAX) || (doubleArguments[0] < INT_MIN))
+        || (std::isnan(doubleArguments[1]) || (doubleArguments[1] > INT_MAX) || (doubleArguments[1] < INT_MIN))
+        || (n >= 3 && (std::isnan(doubleArguments[2]) || (doubleArguments[2] > INT_MAX) || (doubleArguments[2] < INT_MIN)))
+        || (n >= 4 && (std::isnan(doubleArguments[3]) || (doubleArguments[3] > INT_MAX) || (doubleArguments[3] < INT_MIN)))
+        || (n >= 5 && (std::isnan(doubleArguments[4]) || (doubleArguments[4] > INT_MAX) || (doubleArguments[4] < INT_MIN)))
+        || (n >= 6 && (std::isnan(doubleArguments[5]) || (doubleArguments[5] > INT_MAX) || (doubleArguments[5] < INT_MIN)))
+        || (n >= 7 && (std::isnan(doubleArguments[6]) || (doubleArguments[6] > INT_MAX) || (doubleArguments[6] < INT_MIN))))
         return JSValue::encode(jsNaN());
 
     GregorianDateTime t;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to