Closed
Bug 811348
Opened 12 years ago
Closed 3 years ago
Unchecked cast from NaN double to int in jsinterp.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 930708
People
(Reporter: decoder, Unassigned)
Details
(Keywords: sec-want, Whiteboard: [-fsanitize=float-cast-overflow])
The following test:
switch (NaN) { case 0: case 1: case 2: ; }
causes a NaN double value to be cased to int in js/src/jsinterp.cpp:
> /* Don't use MOZ_DOUBLE_IS_INT32; treat -0 (double) as 0. */
> if (!rref.isDouble() || (d = rref.toDouble()) != (i = int32_t(rref.toDouble())))
> DO_NEXT_OP(len);
The behavior in this case is undefined, so we should ensure we don't case NaN but handle it otherwise.
Comment 1•12 years ago
|
||
How did you find this bug? Did you compile with an undefined-behavior catcher?
Updated•11 years ago
|
Whiteboard: [-fsanitize=float-cast-overflow]
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 2•3 years ago
|
||
Hey Christian,
Is this issue still relevant or reproducible on the latest Firefox versions?
Flags: needinfo?(choller)
Comment 3•3 years ago
|
||
Looks like this was addressed in bug 930708.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•