Changeset 45696 in webkit for trunk/JavaScriptCore

Timestamp:

Jul 9, 2009, 8:45:23 PM (16 years ago)

Author:

[email protected]

Message:

2009-07-09 Maciej Stachowiak <​[email protected]>

Reviewed by Darin Adler.

REGRESSION: crash in edge cases of floating point parsing.
​https://bugs.webkit.org/show_bug.cgi?id=27110
<rdar://problem/7044458>

Tests: fast/css/number-parsing-crash.html

fast/css/number-parsing-crash.html
fast/js/number-parsing-crash.html

• wtf/dtoa.cpp: (WTF::BigInt::BigInt): Converted this to more a proper class, using a Vector with inline capacity

(WTF::lshift): Rearranged logic somewhat nontrivially to deal with the new way of sizing BigInts.
Added an assertion to verify that invariants are maintained.

All other functions are adapted fairly mechanically to the above changes.
(WTF::BigInt::clear):
(WTF::BigInt::size):
(WTF::BigInt::resize):
(WTF::BigInt::words):
(WTF::BigInt::append):
(WTF::multadd):
(WTF::s2b):
(WTF::i2b):
(WTF::mult):
(WTF::cmp):
(WTF::diff):
(WTF::b2d):
(WTF::d2b):
(WTF::ratio):
(WTF::strtod):
(WTF::quorem):
(WTF::dtoa):

2009-07-09 Maciej Stachowiak <​[email protected]>

Reviewed by Darin Adler.

REGRESSION: crash in edge cases of floating point parsing.
<rdar://problem/7044458>
​https://bugs.webkit.org/show_bug.cgi?id=27110

Test cases for both JavaScript and CSS use of dtoa.

• fast/css/number-parsing-crash-2-expected.txt: Added.
• fast/css/number-parsing-crash-2.html: Added.
• fast/css/number-parsing-crash-expected.txt: Added.
• fast/css/number-parsing-crash.html: Added.
• fast/js/number-parsing-crash-expected.txt: Added.
• fast/js/number-parsing-crash.html: Added.
• fast/js/resources/number-parsing-crash.js: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• wtf/dtoa.cpp (modified) (33 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-07-09  Maciej Stachowiak  <[email protected]>
+
+        Reviewed by Darin Adler.
+
+        REGRESSION: crash in edge cases of floating point parsing.
+        https://bugs.webkit.org/show_bug.cgi?id=27110
+        <rdar://problem/7044458>
+        
+        Tests: fast/css/number-parsing-crash.html
+               fast/css/number-parsing-crash.html
+               fast/js/number-parsing-crash.html
+        
+        * wtf/dtoa.cpp:
+        (WTF::BigInt::BigInt): Converted this to more a proper class, using a Vector
+        with inline capacity
+
+        (WTF::lshift): Rearranged logic somewhat nontrivially to deal with the new way of sizing BigInts.
+        Added an assertion to verify that invariants are maintained.
+
+        All other functions are adapted fairly mechanically to the above changes.
+        (WTF::BigInt::clear):
+        (WTF::BigInt::size):
+        (WTF::BigInt::resize):
+        (WTF::BigInt::words):
+        (WTF::BigInt::append):
+        (WTF::multadd):
+        (WTF::s2b):
+        (WTF::i2b):
+        (WTF::mult):
+        (WTF::cmp):
+        (WTF::diff):
+        (WTF::b2d):
+        (WTF::d2b):
+        (WTF::ratio):
+        (WTF::strtod):
+        (WTF::quorem):
+        (WTF::dtoa):
+
 2009-07-09  Drew Wilson  <[email protected]>
 

trunk/JavaScriptCore/wtf/dtoa.cpp

@@ -256 +256 @@
 #define Big1 0xffffffff
 
+
+// FIXME: we should remove non-Pack_32 mode since it is unused and unmaintained
 #ifndef Pack_32
 #define Pack_32
@@ -279 +281 @@
 
 struct BigInt {
-    BigInt() : sign(0), wds(0) { }
-    BigInt(const BigInt& other) : sign(other.sign), wds(other.wds) 
+    BigInt() : sign(0) { }
+    int sign;
+
+    void clear()
     {
-        for (int i = 0; i < 64; ++i)
-            x[i] = other.x[i];
-    }
-
-    BigInt& operator=(const BigInt& other) 
+        sign = 0;
+        m_words.clear();
+    }
+    
+    size_t size() const
     {
-        sign = other.sign;
-        wds = other.wds;
-        for (int i = 0; i < 64; ++i)
-            x[i] = other.x[i];        
-        return *this;
+        return m_words.size();
+    }
+
+    void resize(size_t s)
+    {
+        m_words.resize(s);
+    }
+            
+    uint32_t* words()
+    {
+        return m_words.data();
+    }
+
+    const uint32_t* words() const
+    {
+        return m_words.data();
     }
     
-    int sign;
-    int wds;
-    uint32_t x[64];
+    void append(uint32_t w)
+    {
+        m_words.append(w);
+    }
+    
+    Vector<uint32_t, 16> m_words;
 };
 
@@ -308 +326 @@
 #endif
 
-    int wds = b.wds;
-    uint32_t* x = b.x;
+    int wds = b.size();
+    uint32_t* x = b.words();
     int i = 0;
     carry = a;
@@ -332 +350 @@
     } while (++i < wds);
 
-    if (carry) {
-        b.x[wds++] = (uint32_t)carry;
-        b.wds = wds;
-    }
+    if (carry)
+        b.append((uint32_t)carry);
 }
 
@@ -347 +363 @@
 #ifdef Pack_32
     b.sign = 0;
-    b.x[0] = y9;
-    b.wds = 1;
+    b.resize(1);
+    b.words()[0] = y9;
 #else
     b.sign = 0;
-    b.x[0] = y9 & 0xffff;
-    b.wds = (b->x[1] = y9 >> 16) ? 2 : 1;
+    b.resize((b->x[1] = y9 >> 16) ? 2 : 1);
+    b.words()[0] = y9 & 0xffff;
 #endif
 
@@ -441 +457 @@
 {
     b.sign = 0;
-    b.x[0] = i;
-    b.wds = 1;
+    b.resize(1);
+    b.words()[0] = i;
 }
 
@@ -460 +476 @@
 #endif
 
-    if (a->wds < b->wds) {
+    if (a->size() < b->size()) {
         const BigInt* tmp = a;
         a = b;
@@ -466 +482 @@
     }
     
-    wa = a->wds;
-    wb = b->wds;
+    wa = a->size();
+    wb = b->size();
     wc = wa + wb;
-
-    for (xc = c.x, xa = xc + wc; xc < xa; xc++)
+    c.resize(wc);
+
+    for (xc = c.words(), xa = xc + wc; xc < xa; xc++)
         *xc = 0;
-    xa = a->x;
+    xa = a->words();
     xae = xa + wa;
-    xb = b->x;
+    xb = b->words();
     xbe = xb + wb;
-    xc0 = c.x;
+    xc0 = c.words();
 #ifdef USE_LONG_LONG
     for (; xb < xbe; xc0++) {
@@ -538 +555 @@
 #endif
 #endif
-    for (xc0 = c.x, xc = xc0 + wc; wc > 0 && !*--xc; --wc) { }
-    c.wds = wc;
+    for (xc0 = c.words(), xc = xc0 + wc; wc > 0 && !*--xc; --wc) { }
+    c.resize(wc);
     aRef = c;
 }
@@ -618 +635 @@
 #endif
 
-    int n1 = n + b.wds + 1;
-
-    const uint32_t* srcStart = b.x;
-    uint32_t* dstStart = b.x;
-    const uint32_t* src = srcStart + b.wds - 1;
+    int origSize = b.size();
+    int n1 = n + origSize + 1;
+
+    if (k &= 0x1f)
+        b.resize(b.size() + n + 1);
+    else
+        b.resize(b.size() + n);
+
+    const uint32_t* srcStart = b.words();
+    uint32_t* dstStart = b.words();
+    const uint32_t* src = srcStart + origSize - 1;
     uint32_t* dst = dstStart + n1 - 1;
 #ifdef Pack_32
-    if (k &= 0x1f) {
+    if (k) {
         uint32_t hiSubword = 0;
         int s = 32 - k;
@@ -634 +657 @@
         *dst = hiSubword;
         ASSERT(dst == dstStart + n);
-        b.wds = b.wds + n + (b.x[n1 - 1] != 0);
+
+        b.resize(origSize + n + (b.words()[n1 - 1] != 0));
     }
 #else
@@ -653 +677 @@
             *--dst = *src--;
         } while (src >= srcStart);
-        b.wds = b.wds + n;
     }
     for (dst = dstStart + n; dst != dstStart; )
         *--dst = 0;
+
+    ASSERT(b.size() <= 1 || b.words()[b.size() - 1]);
 }
 
@@ -664 +689 @@
     int i, j;
 
-    i = a.wds;
-    j = b.wds;
-    ASSERT(i <= 1 || a.x[i - 1]);
-    ASSERT(j <= 1 || b.x[j - 1]);
+    i = a.size();
+    j = b.size();
+    ASSERT(i <= 1 || a.words()[i - 1]);
+    ASSERT(j <= 1 || b.words()[j - 1]);
     if (i -= j)
         return i;
-    xa0 = a.x;
+    xa0 = a.words();
     xa = xa0 + j;
-    xb0 = b.x;
+    xb0 = b.words();
     xb = xb0 + j;
     for (;;) {
@@ -693 +718 @@
     if (!i) {
         c.sign = 0;
-        c.wds = 1;
-        c.x[0] = 0;
+        c.resize(1);
+        c.words()[0] = 0;
         return;
     }
@@ -705 +730 @@
         i = 0;
 
-    c.wds = 0;
+    wa = a->size();
+    const uint32_t* xa = a->words();
+    const uint32_t* xae = xa + wa;
+    wb = b->size();
+    const uint32_t* xb = b->words();
+    const uint32_t* xbe = xb + wb;
+
+    c.resize(wa);
     c.sign = i;
-    wa = a->wds;
-    const uint32_t* xa = a->x;
-    const uint32_t* xae = xa + wa;
-    wb = b->wds;
-    const uint32_t* xb = b->x;
-    const uint32_t* xbe = xb + wb;
-    xc = c.x;
+    xc = c.words();
 #ifdef USE_LONG_LONG
     unsigned long long borrow = 0;
@@ -758 +784 @@
     while (!*--xc)
         wa--;
-    c.wds = wa;
+    c.resize(wa);
 }
 
@@ -805 +831 @@
 #define d1 word1(&d)
 
-    xa0 = a.x;
-    xa = xa0 + a.wds;
+    xa0 = a.words();
+    xa = xa0 + a.size();
     y = *--xa;
     ASSERT(y);
@@ -861 +887 @@
     b.sign = 0;
 #ifdef Pack_32
-    b.wds = 1;
-#else
-    b.wds = 2;
-#endif
-    x = b.x;
+    b.resize(1);
+#else
+    b.resize(2);
+#endif
+    x = b.words();
 
     z = d0 & Frac_mask;
@@ -882 +908 @@
         } else
             x[0] = y;
+            if (z) {
+                b.resize(2);
+                x[1] = z;
+            }
+
 #ifndef Sudden_Underflow
-        i =
-#endif
-            b.wds = (x[1] = z) ? 2 : 1;
+        i = b.size();
+#endif
     } else {
         k = lo0bits(&z);
         x[0] = z;
 #ifndef Sudden_Underflow
-        i =
-#endif
-            b.wds = 1;
+        i = 1;
+#endif
+        b.resize(1);
         k += 32;
     }
@@ -930 +960 @@
     } while (!x[i])
         --i;
-    b->wds = i + 1;
+    b->resize(i + 1);
 #endif
 #ifndef Sudden_Underflow
@@ -959 +989 @@
     dval(&db) = b2d(b, &kb);
 #ifdef Pack_32
-    k = ka - kb + 32 * (a.wds - b.wds);
-#else
-    k = ka - kb + 16 * (a.wds - b.wds);
+    k = ka - kb + 32 * (a.size() - b.size());
+#else
+    k = ka - kb + 16 * (a.size() - b.size());
 #endif
     if (k > 0)
@@ -1453 +1483 @@
                 ) {
 #ifdef SET_INEXACT
-                if (!delta->x[0] && delta->wds <= 1)
+                if (!delta->words()[0] && delta->size() <= 1)
                     inexact = 0;
 #endif
                 break;
             }
-            if (!delta.x[0] && delta.wds <= 1) {
+            if (!delta.words()[0] && delta.size() <= 1) {
                 /* exact result */
 #ifdef SET_INEXACT
@@ -1701 +1731 @@
 static ALWAYS_INLINE int quorem(BigInt& b, BigInt& S)
 {
-    int n;
+    size_t n;
     uint32_t *bx, *bxe, q, *sx, *sxe;
 #ifdef USE_LONG_LONG
@@ -1711 +1741 @@
 #endif
 #endif
-
-    n = S.wds;
-    ASSERT_WITH_MESSAGE(b.wds <= n, "oversize b in quorem");
-    if (b.wds < n)
+    ASSERT(b.size() <= 1 || b.words()[b.size() - 1]);
+    ASSERT(S.size() <= 1 || S.words()[S.size() - 1]);
+
+    n = S.size();
+    ASSERT_WITH_MESSAGE(b.size() <= n, "oversize b in quorem");
+    if (b.size() < n)
         return 0;
-    sx = S.x;
+    sx = S.words();
     sxe = sx + --n;
-    bx = b.x;
+    bx = b.words();
     bxe = bx + n;
     q = *bxe / (*sxe + 1);    /* ensure q <= true quotient */
@@ -1753 +1785 @@
         } while (sx <= sxe);
         if (!*bxe) {
-            bx = b.x;
+            bx = b.words();
             while (--bxe > bx && !*bxe)
                 --n;
-            b.wds = n;
+            b.resize(n);
         }
     }
@@ -1763 +1795 @@
         borrow = 0;
         carry = 0;
-        bx = b.x;
-        sx = S.x;
+        bx = b.words();
+        sx = S.words();
         do {
 #ifdef USE_LONG_LONG
@@ -1792 +1824 @@
 #endif
         } while (sx <= sxe);
-        bx = b.x;
+        bx = b.words();
         bxe = bx + n;
         if (!*bxe) {
             while (--bxe > bx && !*bxe)
                 --n;
-            b.wds = n;
+            b.resize(n);
         }
     }
@@ -2028 +2060 @@
         word0(&eps) -= (P - 1) * Exp_msk1;
         if (ilim == 0) {
-            S = mhi = BigInt();
+            S.clear();
+            mhi.clear();
             dval(&u) -= 5.;
             if (dval(&u) > dval(&eps))
@@ -2091 +2124 @@
         ds = tens[k];
         if (ndigits < 0 && ilim <= 0) {
-            S = mhi = BigInt();
+            S.clear();
+            mhi.clear();
             if (ilim < 0 || dval(&u) <= 5 * ds)
                 goto no_digits;
@@ -2133 +2167 @@
     m2 = b2;
     m5 = b5;
-    mhi = mlo = BigInt();
+    mhi.clear();
+    mlo.clear();
     if (leftright) {
         i =
@@ -2187 +2222 @@
      */
 #ifdef Pack_32
-    if ((i = ((s5 ? 32 - hi0bits(S.x[S.wds - 1]) : 1) + s2) & 0x1f))
+    if ((i = ((s5 ? 32 - hi0bits(S.words()[S.size() - 1]) : 1) + s2) & 0x1f))
         i = 32 - i;
 #else
-    if ((i = ((s5 ? 32 - hi0bits(S.x[S.wds - 1]) : 1) + s2) & 0xf))
+    if ((i = ((s5 ? 32 - hi0bits(S.words()[S.size() - 1]) : 1) + s2) & 0xf))
         i = 16 - i;
 #endif
@@ -2253 +2288 @@
             }
             if (j < 0 || (j == 0 && !(word1(&u) & 1))) {
-                if (!b.x[0] && b.wds <= 1) {
+                if (!b.words()[0] && b.size() <= 1) {
 #ifdef SET_INEXACT
                     inexact = 0;
@@ -2288 +2323 @@
         for (i = 1;; i++) {
             *s++ = dig = quorem(b,S) + '0';
-            if (!b.x[0] && b.wds <= 1) {
+            if (!b.words()[0] && b.size() <= 1) {
 #ifdef SET_INEXACT
                 inexact = 0;