Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3825a1a93bbf70dba2406c75919f5d5049a18607
https://github.com/WebKit/WebKit/commit/3825a1a93bbf70dba2406c75919f5d5049a18607
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-02 (Tue, 02 Jun 2026)
Changed paths:
A JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js
A JSTests/stress/jsonp-large-array-index.js
A JSTests/stress/number-tostring-methods-out-of-range-arguments.js
A JSTests/stress/parseint-large-result-int32-boxing.js
A JSTests/stress/string-from-code-point-out-of-range.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
M Source/JavaScriptCore/runtime/JSCJSValue.h
M Source/JavaScriptCore/runtime/LiteralParser.cpp
M Source/JavaScriptCore/runtime/NumberPrototype.cpp
M Source/JavaScriptCore/runtime/StringConstructor.cpp
Log Message:
-----------
[JSC] Fix undefined behavior in double-to-int conversions
https://bugs.webkit.org/show_bug.cgi?id=316051
Reviewed by Yusuke Suzuki.
Several call sites convert unbounded, caller-controlled doubles to narrow
integer types with a plain cast, which is undefined behavior when the
truncated value is not representable ([conv.fpint]). With inputs reachable
from JS (e.g. parseInt("80000000", 16), (1.5).toExponential(Infinity),
String.fromCodePoint(-1), o[2 ** 32]), every conversion fixed here trips
UBSan's float-cast-overflow check.
This is not purely theoretical: in Bun, this UB caused user-observable
bugs, e.g. parseInt("80000000", 16) returning a negative int32.
Make the conversions defined via truncateDoubleToInt32() /
truncateDoubleToUint32() / clampTo<unsigned>(), or by range-checking the
double before narrowing. No behavior change on current WebKit toolchains.
Tests: JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js
JSTests/stress/jsonp-large-array-index.js
JSTests/stress/number-tostring-methods-out-of-range-arguments.js
JSTests/stress/parseint-large-result-int32-boxing.js
JSTests/stress/string-from-code-point-out-of-range.js
* JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js: Added.
(shouldBe):
(get put):
* JSTests/stress/jsonp-large-array-index.js: Added.
(shouldBe):
* JSTests/stress/number-tostring-methods-out-of-range-arguments.js: Added.
(shouldBe):
* JSTests/stress/parseint-large-result-int32-boxing.js: Added.
(shouldBe):
(parseIntNoRadix):
* JSTests/stress/string-from-code-point-out-of-range.js: Added.
(shouldBe):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::parseIntResult):
* Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):
* Source/JavaScriptCore/runtime/JSCJSValue.h:
(JSC::JSValue::getUInt32 const):
* Source/JavaScriptCore/runtime/LiteralParser.cpp:
(JSC::requires):
* Source/JavaScriptCore/runtime/NumberPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/StringConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/314356@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
