RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 11:38:11 +00:00
Code Issues Activity Actions

LibJS: Fix UB in Math.clz32

Browse source 
If the argument to this function is greater then or equal to 2^32, the
`double` => `u32` cast produces undefined behavior, which Clang catches.
To fix this, we now use `ToUint32` for getting the integer argument, as
specified by ECMA-262.
This commit is contained in:
Daniel Bertalan 2021-08-06 18:35:05 +02:00 committed by Andreas Kling
parent 5d32f543ec
commit fd76e71934
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Userland/Libraries/LibJS/Runtime/MathObject.cpp
View file

@ -341,12 +341,12 @@ JS_DEFINE_NATIVE_FUNCTION(MathObject::sign)
// 21.3.2.11 Math.clz32 ( x ), https://tc39.es/ecma262/#sec-math.clz32
JS_DEFINE_NATIVE_FUNCTION(MathObject::clz32)
{
auto number = vm.argument(0).to_number(global_object);
auto number = vm.argument(0).to_u32(global_object);
if (vm.exception())
return {};
if (!number.is_finite_number() || (unsigned)number.as_double() == 0)
if (number == 0)
return Value(32);
return Value(__builtin_clz((unsigned)number.as_double()));
return Value(__builtin_clz(number));
}
// 21.3.2.2 Math.acos ( x ), https://tc39.es/ecma262/#sec-math.acos