Skip to content

[JSC] Ensure Date.prototype.setMonth and Date.prototype.setUTCMonth Respects TimeClip Range by Guarding months of GregorianDateTime Overflow #47036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

[JSC] Ensure Date.prototype.setMonth and Date.prototype.setUTCMonth Respects TimeClip Range by Guarding months of GregorianDateTime Overflow #47036

merged 1 commit into from
Jun 26, 2025
+10 −9

Conversation

Gumichocopengin8
Copy link
Member

@Gumichocopengin8 Gumichocopengin8 commented Jun 22, 2025
edited by webkit-early-warning-system
Loading

7d717f9

[JSC] Ensure `Date.prototype.setMonth` and `Date.prototype.setUTCMonth` Respects TimeClip Range by Guarding months of GregorianDateTime Overflow
https://bugs.webkit.org/show_bug.cgi?id=294815

Reviewed by Sosuke Suzuki.

TimeClip[1] function, as referenced in Date.prototype.setMonth[2] and
Date.prototype.setUTCMonth[3], mentions that absolute value of time must not
exceed 8.64E15 in milliseconds, otherwise returns NaN.
However, the current GregorianDateTime class represents months member variable as int.
Therefore, if the months exceeds the maximum representable int,
date calculations may produce incorrect results.
This patch adds a safeguard to ensure that such overflows are prevented
to align the behavior with the TC39 spec.

[1]: https://tc39.es/ecma262/#sec-timeclip
[2]: https://tc39.es/ecma262/#sec-date.prototype.setmonth
[3]: https://tc39.es/ecma262/#sec-date.prototype.setutcmonth

* JSTests/stress/date-timeClip-large-values.js:
* LayoutTests/js/date-timeClip-large-values-expected.txt:
* Source/JavaScriptCore/runtime/DatePrototype.cpp:
(JSC::fillStructuresUsingDateArgs):

Canonical link: https://commits.webkit.org/296644@main

63c3866

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@Gumichocopengin8 Gumichocopengin8 requested a review from a team as a code owner June 22, 2025 22:37
@Gumichocopengin8 Gumichocopengin8 self-assigned this Jun 22, 2025
@Gumichocopengin8 Gumichocopengin8 added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Jun 22, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 22, 2025
edited
Loading

EWS run on current version of this PR (hash 63c3866)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 23, 2025
sosukesuzuki
sosukesuzuki approved these changes Jun 26, 2025
View reviewed changes
Copy link
Member

@sosukesuzuki sosukesuzuki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me

@sosukesuzuki sosukesuzuki added merge-queue Applied to send a pull request to merge-queue and removed merging-blocked Applied to prevent a change from being merged labels Jun 26, 2025
@Gumichocopengin8 @sosukesuzuki
[JSC] Ensure Date.prototype.setMonth and `Date.prototype.setUTCMont…
7d717f9 
…h` Respects TimeClip Range by Guarding months of GregorianDateTime Overflow

https://bugs.webkit.org/show_bug.cgi?id=294815

Reviewed by Sosuke Suzuki.

TimeClip[1] function, as referenced in Date.prototype.setMonth[2] and
Date.prototype.setUTCMonth[3], mentions that absolute value of time must not
exceed 8.64E15 in milliseconds, otherwise returns NaN.
However, the current GregorianDateTime class represents months member variable as int.
Therefore, if the months exceeds the maximum representable int,
date calculations may produce incorrect results.
This patch adds a safeguard to ensure that such overflows are prevented
to align the behavior with the TC39 spec.

[1]: https://tc39.es/ecma262/#sec-timeclip
[2]: https://tc39.es/ecma262/#sec-date.prototype.setmonth
[3]: https://tc39.es/ecma262/#sec-date.prototype.setutcmonth

* JSTests/stress/date-timeClip-large-values.js:
* LayoutTests/js/date-timeClip-large-values-expected.txt:
* Source/JavaScriptCore/runtime/DatePrototype.cpp:
(JSC::fillStructuresUsingDateArgs):

Canonical link: https://commits.webkit.org/296644@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/JSC-Ensure-Date-prototype-setMonth-and-Date-prototype-setUTCMonth-Respects-TimeClip-Range-by-Guarding-months-of-GregorianDateTime-Overflow branch from 63c3866 to 7d717f9 Compare June 26, 2025 01:40
@webkit-commit-queue
Copy link
Collaborator

Committed 296644@main (7d717f9): https://commits.webkit.org/296644@main

Reviewed commits have been landed. Closing PR #47036 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 7d717f9 into WebKit:main Jun 26, 2025
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Jun 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sosukesuzuki sosukesuzuki sosukesuzuki approved these changes

Assignees

@Gumichocopengin8 Gumichocopengin8

Labels
JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Gumichocopengin8 @webkit-early-warning-system @webkit-commit-queue @sosukesuzuki @webkit-ews-buildbot