RESOLVED FIXED 177944
Avoid integer overflow in DFGStrengthReduction.cpp
https://bugs.webkit.org/show_bug.cgi?id=177944
Summary Avoid integer overflow in DFGStrengthReduction.cpp
Robin Morisset
Reported 2017-10-05 08:25:19 PDT
The check that we won't cause integer overflow is itself a signed integer overflow! I believe this is undefined behavior, and a future compiler could remove the check altogether. Instead, make it an explicit check that value != INT32_MIN.
Attachments
Patch (1.74 KB, patch)
2017-10-05 08:27 PDT, Robin Morisset
no flags
Robin Morisset
Comment 1 2017-10-05 08:27:52 PDT
Saam Barati
Comment 2 2017-10-05 08:58:36 PDT
Comment on attachment 322838 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=322838&action=review > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > + if (value != INT32_MIN) { Why not use Checked here?
Robin Morisset
Comment 3 2017-10-06 03:15:10 PDT
(In reply to Saam Barati from comment #2) > Comment on attachment 322838 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=322838&action=review > > > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > > + if (value != INT32_MIN) { > > Why not use Checked here? I just did not know about the existence of Checked. I could use it here, but I am not sure it would be a win: the check here is trivial, and using Checked would be a bit more bothersome: Checked<int32_t, RecordOnOverflow> checkedNewValue = 0; checkedNewValue -= value; int32_t newValue; if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) { ... (newValue)... } Instead of if (value != INT32_MIN) { ... (-value) ... } If you think it would be better, I can do the change and use it, it is as you want.
Saam Barati
Comment 4 2017-10-06 08:56:05 PDT
(In reply to Robin Morisset from comment #3) > (In reply to Saam Barati from comment #2) > > Comment on attachment 322838 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=322838&action=review > > > > > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > > > + if (value != INT32_MIN) { > > > > Why not use Checked here? > > I just did not know about the existence of Checked. > > I could use it here, but I am not sure it would be a win: the check here is > trivial, and using Checked would be a bit more bothersome: > Checked<int32_t, RecordOnOverflow> checkedNewValue = 0; > checkedNewValue -= value; > int32_t newValue; > if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) { > ... (newValue)... > } > Instead of > if (value != INT32_MIN) { > ... (-value) ... > } > > If you think it would be better, I can do the change and use it, it is as > you want. Keep it as you have it. r=me still
WebKit Commit Bot
Comment 5 2017-10-06 09:33:46 PDT
Comment on attachment 322838 [details] Patch Clearing flags on attachment: 322838 Committed r222981: <http://trac.webkit.org/changeset/222981>
WebKit Commit Bot
Comment 6 2017-10-06 09:33:47 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2017-10-06 09:34:46 PDT
Note You need to log in before you can comment on or make changes to this bug.