Bug 232058

Summary:

Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, rmorisset, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Michael Saboff 2021-10-20 17:23:37 PDT

From code review, it appears that an overflow check is needed when creating a more specific Relationship.

Consider the current code:
   ...
        if (sumOverflows<int>(otherRight, other.m_offset))
            return *this;

        int otherEffectiveRight = otherRight + other.m_offset;

        switch (other.m_kind) {
        case Equal:
            // Return a version of *this that is Equal to other's constant.
            return Relationship(m_left, m_right, Equal, otherEffectiveRight - thisRight);
    ...

We check if other's value + offset overflows, but what about the case where otherEffectiveRight - thisRight might overflow?

Comment 1 Michael Saboff 2021-10-20 17:24:01 PDT

<rdar://84375007>

Comment 2 Michael Saboff 2021-10-20 17:27:11 PDT

Created attachment 441964 [details]
Patch

Comment 3 Robin Morisset 2021-10-20 17:37:20 PDT

Comment on attachment 441964 [details]
Patch

r=me

Comment 4 EWS 2021-10-21 10:54:55 PDT

Committed r284623 (243344@main): <https://commits.webkit.org/243344@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 441964 [details].