Bug 143532

Summary:

DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, benjamin, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	barraclough: review+

Filip Pizlo

Reported 2015-04-08 12:48:06 PDT

Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in JavaScript. But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler would think that there never was wrap-around.

Attachments
the patch (2.40 KB, patch) 2015-04-08 12:50 PDT, Filip Pizlo	barraclough: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2015-04-08 12:50:13 PDT

Created attachment 250376 [details] the patch

Filip Pizlo

Comment 2 2015-04-08 13:24:02 PDT

Landed in http://trac.webkit.org/changeset/182562

Darin Adler

Comment 3 2015-04-10 09:36:33 PDT

Comment on attachment 250376 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=250376&action=review > Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp:367 > + uint32_t unsignedDifference = maxBound - minBound; > + return !(unsignedDifference >> 31); Could also have written: int32_t difference = maxBound - minBound; return difference >= 0;

Note You need to log in before you can comment on or make changes to this bug.