Bug 143532

Summary:

DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, benjamin, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	barraclough: review+

Description Filip Pizlo 2015-04-08 12:48:06 PDT

Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.  But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler would think that there never was wrap-around.

Comment 1 Filip Pizlo 2015-04-08 12:50:13 PDT

Created attachment 250376 [details]
the patch

Comment 2 Filip Pizlo 2015-04-08 13:24:02 PDT

Landed in http://trac.webkit.org/changeset/182562

Comment 3 Darin Adler 2015-04-10 09:36:33 PDT

Comment on attachment 250376 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=250376&action=review

> Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp:367
> +            uint32_t unsignedDifference = maxBound - minBound;
> +            return !(unsignedDifference >> 31);

Could also have written:

   int32_t difference = maxBound - minBound;
   return difference >= 0;