In DFGIntegerRangeOptimizationPhase, the `executeNode` function fails to correctly deal with ArithAdd node when node's second child is a negative constant. ``` case ArithAdd: { ... int offset = node->child2()->asInt32(); ... if (offset < 0 && offset != std::numeric_limits<int>::min()) { // If we have "add: @value - 1" then we know that @value >= min + 1, i.e. that // @value > min. if (!sumOverflows<int>(std::numeric_limits<int>::min(), offset, -1)) { <-- this line definitely returns false because intMin plus two negative value definitely overflows! setRelationship( Relationship::safeCreate( node->child1().node(), m_zero, Relationship::GreaterThan, std::numeric_limits<int>::min() + offset - 1), 0); } // If we have "add: @value + 1" then we know that @add <= max - 1, i.e. that // @add < max. if (!sumOverflows<int>(std::numeric_limits<int>::max(), -offset, 1)) { <-- intMax plus two positive value definitely overflows! setRelationship( Relationship( node, m_zero, Relationship::LessThan, std::numeric_limits<int>::max() - offset + 1), 0); } } break; } ``` If the offset is negative, we have add: @value - C, then we know @value >= min + C, @value > min + C - 1. C equals -offset, so final expression should be @value > min - offset - 1. If the offset is negative, we have add: @value - C, then we know @add <= max - C, @add < max - C + 1. C equals -offset, so final expression should be @add < max + offset + 1.