Cherry-pick WebKit security fix (webkit.org r64706) Do not merge
See http://trac.webkit.org/changeset/64706
Bug:3162623
Change-Id: I17abfbac4013ea98401f4088e9079faa15b9b8d9
diff --git a/JavaScriptCore/API/JSValueRef.cpp b/JavaScriptCore/API/JSValueRef.cpp
index a12cc34..518fc7b 100644
--- a/JavaScriptCore/API/JSValueRef.cpp
+++ b/JavaScriptCore/API/JSValueRef.cpp
@@ -211,6 +211,12 @@
ExecState* exec = toJS(ctx);
APIEntryShim entryShim(exec);
+ // Our JSValue representation relies on a standard bit pattern for NaN. NaNs
+ // generated internally to JavaScriptCore naturally have that representation,
+ // but an external NaN might not.
+ if (isnan(value))
+ value = NaN;
+
return toRef(exec, jsNumber(exec, value));
}
diff --git a/JavaScriptCore/wtf/dtoa.cpp b/JavaScriptCore/wtf/dtoa.cpp
index 6289d04..e63be90 100644
--- a/JavaScriptCore/wtf/dtoa.cpp
+++ b/JavaScriptCore/wtf/dtoa.cpp
@@ -168,6 +168,7 @@
#endif
#define INFNAN_CHECK
+#define No_Hex_NaN
#if defined(IEEE_8087) + defined(IEEE_MC68k) + defined(IEEE_ARM) != 1
Exactly one of IEEE_8087, IEEE_ARM or IEEE_MC68k should be defined.