Bug 177944 - Avoid integer overflow in DFGStrengthReduction.cpp
Summary: Avoid integer overflow in DFGStrengthReduction.cpp
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Robin Morisset
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-10-05 08:25 PDT by Robin Morisset
Modified: 2017-10-06 09:34 PDT (History)
7 users (show)

See Also:

Attachments
Patch (1.74 KB, patch)
2017-10-05 08:27 PDT, Robin Morisset 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Morisset 2017-10-05 08:25:19 PDT 
The check that we won't cause integer overflow is itself a signed integer overflow! I believe this is undefined behavior, and a future compiler could remove the check altogether.
Instead, make it an explicit check that value != INT32_MIN.
Comment 1 Robin Morisset 2017-10-05 08:27:52 PDT 
Created attachment 322838 [details]
Patch
Comment 2 Saam Barati 2017-10-05 08:58:36 PDT 
Comment on attachment 322838 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322838&action=review

> Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158
> +                if (value != INT32_MIN) {

Why not use Checked here?
Comment 3 Robin Morisset 2017-10-06 03:15:10 PDT 
(In reply to Saam Barati from comment #2)
> Comment on attachment 322838 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=322838&action=review
> 
> > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158
> > +                if (value != INT32_MIN) {
> 
> Why not use Checked here?

I just did not know about the existence of Checked.

I could use it here, but I am not sure it would be a win: the check here is trivial, and using Checked would be a bit more bothersome:
  Checked<int32_t, RecordOnOverflow> checkedNewValue = 0;
  checkedNewValue -= value;
  int32_t newValue;
  if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) {
    ... (newValue)...
  }
Instead of
  if (value != INT32_MIN) {
    ... (-value) ...
  }

If you think it would be better, I can do the change and use it, it is as you want.
Comment 4 Saam Barati 2017-10-06 08:56:05 PDT 
(In reply to Robin Morisset from comment #3)
> (In reply to Saam Barati from comment #2)
> > Comment on attachment 322838 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=322838&action=review
> > 
> > > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158
> > > +                if (value != INT32_MIN) {
> > 
> > Why not use Checked here?
> 
> I just did not know about the existence of Checked.
> 
> I could use it here, but I am not sure it would be a win: the check here is
> trivial, and using Checked would be a bit more bothersome:
>   Checked<int32_t, RecordOnOverflow> checkedNewValue = 0;
>   checkedNewValue -= value;
>   int32_t newValue;
>   if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) {
>     ... (newValue)...
>   }
> Instead of
>   if (value != INT32_MIN) {
>     ... (-value) ...
>   }
> 
> If you think it would be better, I can do the change and use it, it is as
> you want.

Keep it as you have it. r=me still
Comment 5 WebKit Commit Bot 2017-10-06 09:33:46 PDT 
Comment on attachment 322838 [details]
Patch

Clearing flags on attachment: 322838

Committed r222981: <http://trac.webkit.org/changeset/222981>
Comment 6 WebKit Commit Bot 2017-10-06 09:33:47 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2017-10-06 09:34:46 PDT 
<rdar://problem/34857276>