811756 - Unchecked cast from NaN double to int in jsdate.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Patch

There is an unchecked conversion from NaN double to int in js/src/jsdate.cpp:

> inline int
> DaysInFebruary(int year) {
...

> static double
> DateFromTime(double t)
> {
>     double year = YearFromTime(t);
>     double d = DayWithinYear(t, year);
> 
>     int next;
>     if (d <= (next = 30))
>         return d + 1;
>     int step = next;
>     if (d <= (next += DaysInFebruary(year))) // <<<--- year can be NaN here


I believe that the reason is a missing check in the beginning of the method DateFromTime, that verifies that t is indeed finite, just like it is done in MonthFromTime.

However, in addition, DaysInFebruary should probably take a double and not int, since that would be converting to int and immediately back to double (because DaysInFebruary immediately calls another function with the year, which again takes double).

The attached patch fixes both.

Comment 1

[Jesse Ruderman]

Is there a test?

More importantly, is the year of our Lord NaN a leap year or not??

Comment 2

[Christian Holler (:decoder)]

The test was this:

date = new Date(NaN).setMonth();

No way to detect this though from inside JS (I think).

Comment 3

[Jason Orendorff [:jorendorff]]

In the year NaN, the month of February will have NaN days.

Comment 4

[Christian Holler (:decoder)]

Does that make it a leap year? ^_^

Comment 5

[Tom S [:evilpie]]

I think that makes it NotAYear.

Comment 6

[Jeff Walden [:Waldo]]

Comment on attachment 681512 [details] [diff] [review]
Patch

Review of attachment 681512 [details] [diff] [review]:
-----------------------------------------------------------------

rs=me

Comment 7

[Christian Holler (:decoder)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/006bc34d21fd

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/006bc34d21fd