Closed Bug 1530296 Opened 6 years ago Closed 6 years ago

Fix undefined behavior in WebIDL cast

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: wingo, Assigned: Waldo)

Details

Attachments

(1 file)

Be more careful about converting int32_t to DataView element type
2.79 KB, patch
froydnj
: review+
Details | Diff | Splinter Review

This cast would seem to have undefined behavior, which we should fix:

https://searchfox.org/mozilla-central/source/js/src/builtin/DataViewObject.cpp#414-418

On second look, I don't think this comment is really right. Casting out-of-range value to signed isn't UB, it's *implementation-defined*, which isn't necessarily unsafe. But it's easy enough to make this all be wholly-defined operations -- cast to unsigned type is defined as modulus, WrapToSigned was written carefully to avoid any UB itself -- so we should just do that.
Attachment #9046451 - Flags: review?(nfroyd)
Assignee: nobody → jwalden
Status: NEW → ASSIGNED
Attachment #9046451 - Flags: review?(nfroyd) → review+
Pushed by jwalden@mit.edu: https://hg.mozilla.org/integration/mozilla-inbound/rev/5ea654f841a4 Be more careful about converting int32_t to DataView element type. r=froydnj

https://hg.mozilla.org/mozilla-central/rev/5ea654f841a4

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: