RESOLVED FIXED 210869
BigInt32 parsing should be precise 
https://bugs.webkit.org/show_bug.cgi?id=210869
Summary BigInt32 parsing should be precise
Saam Barati
Reported 2020-04-22 12:09:04 PDT
...
Attachments
patch (10.35 KB, patch)
2020-04-22 12:36 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (10.39 KB, patch)
2020-04-22 13:06 PDT, Saam Barati 		rmorisset: review+
DetailsFormatted DiffDiff
patch for landing (10.40 KB, patch)
2020-04-22 13:40 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (10.37 KB, patch)
2020-04-22 13:42 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (10.35 KB, patch)
2020-04-22 13:43 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (10.32 KB, patch)
2020-04-22 13:44 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2020-04-22 12:36:10 PDT
Created attachment 397236 [details] patch
Mark Lam
Comment 2 2020-04-22 12:46:00 PDT
Comment on attachment 397236 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397236&action=review > Source/JavaScriptCore/ChangeLog:9 > + if the value could be an int32. This patch makes the algorithm precise on I think predictable is a better description here than precise.
Robin Morisset
Comment 3 2020-04-22 12:51:58 PDT
Comment on attachment 397236 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397236&action=review Thanks for improving this. I have a couple nits and questions below: > Source/JavaScriptCore/jsc.cpp:2331 > + return JSValue::encode(jsBoolean(!!jsDynamicCast<JSBigInt*>(globalObject->vm(), callFrame->argument(0)))); Is there a reason for using this weird !!jsDynamicCast<JSBigInt*> instead of JSValue::isHeapBigInt ? > Source/JavaScriptCore/runtime/JSBigInt.cpp:1876 > + auto limitWorks = [&] (double radix, double lengthLimit) { I don't think you need to pass lengthLimit as an argument, it could just be lengthLimitForBigInt32 which is captured. > Source/JavaScriptCore/runtime/JSBigInt.cpp:1906 > + // radix ** lengthLimitForBigInt32 <= INT32_MAX Why is this the opposite from the BigInt32 case? > Source/JavaScriptCore/runtime/JSBigInt.cpp:1908 > + auto limitWorks = [&] (double radix, double lengthLimit) { same comment as before: no need to pass lengthLimit explicitly. > Source/JavaScriptCore/runtime/JSBigInt.cpp:1967 > + int64_t maybeResult = digit.unsafeGet(); maybe an assert here that going from uint64_t to int64_t does not overflow? I see no way that it could, but an assert would be reassuring if we ever modify any of that code again.
Saam Barati
Comment 4 2020-04-22 12:55:10 PDT
Comment on attachment 397236 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397236&action=review >> Source/JavaScriptCore/ChangeLog:9 >> + if the value could be an int32. This patch makes the algorithm precise on > > I think predictable is a better description here than precise. The old algorithm was also predictable, it's bounds were just worse. >> Source/JavaScriptCore/jsc.cpp:2331 >> + return JSValue::encode(jsBoolean(!!jsDynamicCast<JSBigInt*>(globalObject->vm(), callFrame->argument(0)))); > > Is there a reason for using this weird !!jsDynamicCast<JSBigInt*> instead of JSValue::isHeapBigInt ? nope. I just didn't know it existed. >> Source/JavaScriptCore/runtime/JSBigInt.cpp:1876 >> + auto limitWorks = [&] (double radix, double lengthLimit) { > > I don't think you need to pass lengthLimit as an argument, it could just be lengthLimitForBigInt32 which is captured. ok >> Source/JavaScriptCore/runtime/JSBigInt.cpp:1906 >> + // radix ** lengthLimitForBigInt32 <= INT32_MAX > > Why is this the opposite from the BigInt32 case? Because Digit is 32-bit unsigned here, and I don't want to consider what happens below in static_cast<Digit>(uint64_t value) >> Source/JavaScriptCore/runtime/JSBigInt.cpp:1908 >> + auto limitWorks = [&] (double radix, double lengthLimit) { > > same comment as before: no need to pass lengthLimit explicitly. ok >> Source/JavaScriptCore/runtime/JSBigInt.cpp:1967 >> + int64_t maybeResult = digit.unsafeGet(); > > maybe an assert here that going from uint64_t to int64_t does not overflow? I see no way that it could, but an assert would be reassuring if we ever modify any of that code again. good idea
Saam Barati
Comment 5 2020-04-22 13:06:07 PDT
Created attachment 397242 [details] patch
Robin Morisset
Comment 6 2020-04-22 13:27:44 PDT
Comment on attachment 397242 [details] patch r=me
Saam Barati
Comment 7 2020-04-22 13:40:18 PDT
Created attachment 397249 [details] patch for landing
Saam Barati
Comment 8 2020-04-22 13:40:43 PDT
Comment on attachment 397249 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=397249&action=review > Source/JavaScriptCore/jsc.cpp:2331 > + return JSValue::encode(jsBoolean(!!jsDynamicCast<JSBigInt*>(globalObject->vm(), callFrame->argument(0)))); oops, forgot about this. Will fix.
Saam Barati
Comment 9 2020-04-22 13:42:29 PDT
Created attachment 397250 [details] patch for landing
Saam Barati
Comment 10 2020-04-22 13:43:12 PDT
Created attachment 397251 [details] patch for landing
Saam Barati
Comment 11 2020-04-22 13:44:43 PDT
Created attachment 397252 [details] patch for landing
EWS
Comment 12 2020-04-22 19:18:50 PDT
Committed r260550: <https://trac.webkit.org/changeset/260550> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397252 [details].
Radar WebKit Bug Importer
Comment 13 2020-04-22 19:19:13 PDT
<rdar://problem/62227321>
Note You need to log in before you can comment on or make changes to this bug.