Bug 232058

Summary: Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, rmorisset, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Michael Saboff
Reported 2021-10-20 17:23:37 PDT
From code review, it appears that an overflow check is needed when creating a more specific Relationship. Consider the current code: ... if (sumOverflows<int>(otherRight, other.m_offset)) return *this; int otherEffectiveRight = otherRight + other.m_offset; switch (other.m_kind) { case Equal: // Return a version of *this that is Equal to other's constant. return Relationship(m_left, m_right, Equal, otherEffectiveRight - thisRight); ... We check if other's value + offset overflows, but what about the case where otherEffectiveRight - thisRight might overflow?
Attachments
Patch (1.29 KB, patch)
2021-10-20 17:27 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2021-10-20 17:24:01 PDT
<rdar://84375007>
Michael Saboff
Comment 2 2021-10-20 17:27:11 PDT
Created attachment 441964 [details] Patch
Robin Morisset
Comment 3 2021-10-20 17:37:20 PDT
Comment on attachment 441964 [details] Patch r=me
EWS
Comment 4 2021-10-21 10:54:55 PDT
Committed r284623 (243344@main): <https://commits.webkit.org/243344@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441964 [details].
Note You need to log in before you can comment on or make changes to this bug.