WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
177944
Avoid integer overflow in DFGStrengthReduction.cpp
https://bugs.webkit.org/show_bug.cgi?id=177944
Summary
Avoid integer overflow in DFGStrengthReduction.cpp
Robin Morisset
Reported
2017-10-05 08:25:19 PDT
The check that we won't cause integer overflow is itself a signed integer overflow! I believe this is undefined behavior, and a future compiler could remove the check altogether. Instead, make it an explicit check that value != INT32_MIN.
Attachments
Patch
(1.74 KB, patch)
2017-10-05 08:27 PDT
,
Robin Morisset
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Robin Morisset
Comment 1
2017-10-05 08:27:52 PDT
Created
attachment 322838
[details]
Patch
Saam Barati
Comment 2
2017-10-05 08:58:36 PDT
Comment on
attachment 322838
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=322838&action=review
> Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > + if (value != INT32_MIN) {
Why not use Checked here?
Robin Morisset
Comment 3
2017-10-06 03:15:10 PDT
(In reply to Saam Barati from
comment #2
)
> Comment on
attachment 322838
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=322838&action=review
> > > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > > + if (value != INT32_MIN) { > > Why not use Checked here?
I just did not know about the existence of Checked. I could use it here, but I am not sure it would be a win: the check here is trivial, and using Checked would be a bit more bothersome: Checked<int32_t, RecordOnOverflow> checkedNewValue = 0; checkedNewValue -= value; int32_t newValue; if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) { ... (newValue)... } Instead of if (value != INT32_MIN) { ... (-value) ... } If you think it would be better, I can do the change and use it, it is as you want.
Saam Barati
Comment 4
2017-10-06 08:56:05 PDT
(In reply to Robin Morisset from
comment #3
)
> (In reply to Saam Barati from
comment #2
) > > Comment on
attachment 322838
[details]
> > Patch > > > > View in context: > >
https://bugs.webkit.org/attachment.cgi?id=322838&action=review
> > > > > Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:158 > > > + if (value != INT32_MIN) { > > > > Why not use Checked here? > > I just did not know about the existence of Checked. > > I could use it here, but I am not sure it would be a win: the check here is > trivial, and using Checked would be a bit more bothersome: > Checked<int32_t, RecordOnOverflow> checkedNewValue = 0; > checkedNewValue -= value; > int32_t newValue; > if (CheckedState::DidNotOverflow == checkedNewValue.safeGet(newValue)) { > ... (newValue)... > } > Instead of > if (value != INT32_MIN) { > ... (-value) ... > } > > If you think it would be better, I can do the change and use it, it is as > you want.
Keep it as you have it. r=me still
WebKit Commit Bot
Comment 5
2017-10-06 09:33:46 PDT
Comment on
attachment 322838
[details]
Patch Clearing flags on attachment: 322838 Committed
r222981
: <
http://trac.webkit.org/changeset/222981
>
WebKit Commit Bot
Comment 6
2017-10-06 09:33:47 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7
2017-10-06 09:34:46 PDT
<
rdar://problem/34857276
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug