Bug 223284

Summary: Fixed undefined behavior bug in Const32Value::checkNegConstant().
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
none
proposed patch. none

Description Mark Lam 2021-03-16 15:19:32 PDT 
This was causing a failure in testb3 on a release build.
Comment 1 Mark Lam 2021-03-16 15:22:42 PDT 
Created attachment 423402 [details]
proposed patch.
Comment 2 Darin Adler 2021-03-16 15:36:57 PDT 
Comment on attachment 423402 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=423402&action=review

> Source/JavaScriptCore/b3/B3Const32Value.cpp:109
> -    if (m_value == -m_value)
> +    // We're using volatile temps here to force Clang to actually compute these
> +    // bit values and compare them. Otherwise, Clang can just assume that they
> +    // are not equal since the result of (m_value == -m_value) is undefined
> +    // behavior.
> +    volatile uint32_t value = m_value;
> +    volatile uint32_t negatedValue = -m_value;
> +    if (value == negatedValue)

If we’re having trouble because we’re depending on undefined behavior, I suggest we select a solution that does not involve undefined behavior. Using volatile seems like the wrong workaround, since it’s depending even more on undefined behavior, other types. The way we are using here is not what volatile is for. I suggest this solution, which should work reliably:

    if (m_value == std::numeric_limits<int32_t>::min())
        return nullptr;

> Source/JavaScriptCore/b3/B3Const64Value.cpp:110
> -    if (m_value == -m_value)
> +    // We're using volatile temps here to force Clang to actually compute these
> +    // bit values and compare them. Otherwise, Clang can just assume that they
> +    // are not equal since the result of (m_value == -m_value) is undefined
> +    // behavior.
> +    volatile uint64_t value = m_value;
> +    volatile uint64_t negatedValue = -m_value;
> +    if (value == negatedValue)
>          return nullptr;

Same:

    if (m_value == std::numeric_limits<int64_t>::min())
        return nullptr;
Comment 3 Mark Lam 2021-03-16 15:42:25 PDT 
Comment on attachment 423402 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=423402&action=review

>> Source/JavaScriptCore/b3/B3Const32Value.cpp:109
>> +    if (value == negatedValue)
> 
> If we’re having trouble because we’re depending on undefined behavior, I suggest we select a solution that does not involve undefined behavior. Using volatile seems like the wrong workaround, since it’s depending even more on undefined behavior, other types. The way we are using here is not what volatile is for. I suggest this solution, which should work reliably:
> 
>     if (m_value == std::numeric_limits<int32_t>::min())
>         return nullptr;

That's a great solution.  I should have thought of that.  Will give it a try.
Comment 4 Mark Lam 2021-03-16 15:55:56 PDT 
Created attachment 423411 [details]
proposed patch.
Comment 5 Mark Lam 2021-03-16 16:02:32 PDT 
Comment on attachment 423411 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 6 EWS 2021-03-16 17:10:32 PDT 
Committed r274538: <https://commits.webkit.org/r274538>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 423411 [details].
Comment 7 Radar WebKit Bug Importer 2021-03-16 17:11:15 PDT 
<rdar://problem/75502173>