Bug 1300380: Fix undefined behavior under WasmTruncate functions; r=h4writer
authorBenjamin Bouvier <benj@benj.me>
Thu, 22 Sep 2016 18:19:28 +0200
changeset 315270 20cf91d1aecd370d788eff5e50c8255db4abc279
parent 315231 e1babcef001ebbfcd1852e86c15f924e3f0c2af4
child 315271 a05a8412140401eaa378df78b3df7aeef64d7cae
push id30747
push usercbook@mozilla.com
push dateTue, 27 Sep 2016 09:22:00 +0000
treeherdermozilla-central@66a77b9bfe5d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1300380
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1300380: Fix undefined behavior under WasmTruncate functions; r=h4writer MozReview-Commit-ID: I3lbWLKHO4g
js/src/asmjs/WasmTypes.cpp
--- a/js/src/asmjs/WasmTypes.cpp
+++ b/js/src/asmjs/WasmTypes.cpp
@@ -31,16 +31,18 @@
 #include "vm/Interpreter.h"
 
 #include "vm/Stack-inl.h"
 
 using namespace js;
 using namespace js::jit;
 using namespace js::wasm;
 
+using mozilla::IsNaN;
+
 void
 Val::writePayload(uint8_t* dst) const
 {
     switch (type_) {
       case ValType::I32:
       case ValType::F32:
         memcpy(dst, &u.i32_, sizeof(u.i32_));
         return;
@@ -201,33 +203,29 @@ UModI64(uint32_t x_hi, uint32_t x_lo, ui
     uint64_t y = ((uint64_t)y_hi << 32) + y_lo;
     MOZ_ASSERT(y != 0);
     return x % y;
 }
 
 static int64_t
 TruncateDoubleToInt64(double input)
 {
-    // Note: INT64_MAX is not representable in double. It is actually INT64_MAX + 1.
-    // Therefore also sending the failure value.
-    if (input >= double(INT64_MAX))
-        return 0x8000000000000000;
-    if (input < double(INT64_MIN))
+    // Note: INT64_MAX is not representable in double. It is actually
+    // INT64_MAX + 1.  Therefore also sending the failure value.
+    if (input >= double(INT64_MAX) || input < double(INT64_MIN) || IsNaN(input))
         return 0x8000000000000000;
     return int64_t(input);
 }
 
 static uint64_t
 TruncateDoubleToUint64(double input)
 {
     // Note: UINT64_MAX is not representable in double. It is actually UINT64_MAX + 1.
     // Therefore also sending the failure value.
-    if (input >= double(UINT64_MAX))
-        return 0x8000000000000000;
-    if (input <= -1.0)
+    if (input >= double(UINT64_MAX) || input <= -1.0 || IsNaN(input))
         return 0x8000000000000000;
     return uint64_t(input);
 }
 
 static double
 Int64ToFloatingPoint(int32_t x_hi, uint32_t x_lo)
 {
     int64_t x = int64_t((uint64_t(x_hi) << 32)) + int64_t(x_lo);