write jsapi-test for math libraries and canonical nan

NEW
Unassigned

Status

()

Core
JavaScript Engine
8 years ago
4 years ago

People

(Reporter: luke, Unassigned)

Tracking

({sec-other})

Trunk
sec-other
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse])

(Reporter)

Description

8 years ago
One potential hole in the non-canonical nan-shield is the math functions.  By and large, platforms seem to only produce the canonical nan.  Apparently, though, some don't.  For example, bug 584653 shows that, on OS X 10.5 x64 builds, asin(4) returns a non-canonical nan (really Apple?).  Bug 584168 shows that canonicalizing all math functions across the board costs 1-2% on SS and V8, so I'd like to do it conditionally by platform with some #define like JS_MATH_NEEDS_CANONICALIZATION.  Then, for platforms where we don't canonicalize, we should have a jsapi-test that pumps a bunch of numbers through all the math functions to verify no non-canonical nans pop out the other end.

Comment 1

8 years ago
I made comment 0 private as exposing info about asin may hurt nightly build users.
Group: core-security

Comment 2

8 years ago
fwiw, bug 584653 was determined to be non-exploitable because it confused the type-tagging in a predictably-crashing way.
Group: core-security
Whiteboard: [sg:nse]
(Reporter)

Comment 3

8 years ago
Right.  Only half the bug remains: build a jsapi test that gives us some build-time assurance that our math libs are sane.
Summary: conditionally canonicalize nans coming out of math.h → write jsapi-test for math libraries and canonical nan
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.