205945 – Instruction.h: Multiplication result converted to larger type

Bug 205945 - Instruction.h: Multiplication result converted to larger type

Summary: Instruction.h: Multiplication result converted to larger type

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-01-08 11:46 PST by Michael Saboff
Modified:	2020-01-08 18:04 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (1.47 KB, patch) 2020-01-08 12:03 PST, Michael Saboff	mark.lam: review+ msaboff: commit-queue-	Details \| Formatted Diff \| Diff
Patch to try and fix Microsoft warning. (1.45 KB, patch) 2020-01-08 13:38 PST, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
Patch (1.46 KB, patch) 2020-01-08 14:12 PST, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2020-01-08 11:46:37 PST

Summary:
Instruction.h: Multiplication result converted to larger type: Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.

    template<typename Traits = JSOpcodeTraits>
    size_t size() const
    {
        auto sizeShiftAmount = this->sizeShiftAmount<Traits>();
        auto prefixSize = sizeShiftAmount ? 1 : 0;
        auto operandSize = 1 << sizeShiftAmount;
        size_t sizeOfBytecode = 1;
        return sizeOfBytecode + (Traits::opcodeLengths[opcodeID<Traits>()] - 1) * operandSize + prefixSize;
Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.
    }

fix: Change operandSize to size_t.

Comment 1 Michael Saboff 2020-01-08 11:46:53 PST

<rdar://problem/58383287>

Comment 2 Michael Saboff 2020-01-08 12:03:33 PST

Created attachment 387125 [details]
Patch

Comment 3 Michael Saboff 2020-01-08 13:36:51 PST

Comment on attachment 387125 [details]
Patch

cq- to work through Microsoft warning as error.

Comment 4 Michael Saboff 2020-01-08 13:38:27 PST

Created attachment 387135 [details]
Patch to try and fix Microsoft warning.

Comment 5 Michael Saboff 2020-01-08 14:12:48 PST

Created attachment 387139 [details]
Patch

Another try to silence the Microsoft compiler.

Comment 6 Yusuke Suzuki 2020-01-08 15:02:01 PST

Comment on attachment 387139 [details]
Patch

Note that this is suppressing some of alerts, but this old code never gets overflow since

1. operandSize is either of 1, 2, or 4 (Bytecode's operand size)
2. Bytecode opcode size is statically defined and never gets overflow in the last line of this code.

Comment 7 Michael Saboff 2020-01-08 16:52:32 PST

(In reply to Yusuke Suzuki from comment #6)
> Comment on attachment 387139 [details]
> Patch
> 
> Note that this is suppressing some of alerts, but this old code never gets
> overflow since
> 
> 1. operandSize is either of 1, 2, or 4 (Bytecode's operand size)
> 2. Bytecode opcode size is statically defined and never gets overflow in the
> last line of this code.

Agreed.

Comment 8 WebKit Commit Bot 2020-01-08 18:04:27 PST

Comment on attachment 387139 [details]
Patch

Clearing flags on attachment: 387139

Committed r254244: <https://trac.webkit.org/changeset/254244>

Comment 9 WebKit Commit Bot 2020-01-08 18:04:29 PST

All reviewed patches have been landed.  Closing bug.