WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
211030
[JSC] Handle BigInt32 INT32_MIN shift amount
https://bugs.webkit.org/show_bug.cgi?id=211030
Summary
[JSC] Handle BigInt32 INT32_MIN shift amount
Yusuke Suzuki
Reported
2020-04-25 14:27:28 PDT
...
Attachments
Patch
(4.82 KB, patch)
2020-04-25 15:01 PDT
,
Yusuke Suzuki
darin
: review+
Details
Formatted Diff
Diff
Patch for landing
(4.41 KB, patch)
2020-04-25 18:58 PDT
,
Yusuke Suzuki
no flags
Details
Formatted Diff
Diff
Patch for landing
(4.08 KB, patch)
2020-04-25 19:07 PDT
,
Yusuke Suzuki
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1
2020-04-25 15:01:46 PDT
Created
attachment 397588
[details]
Patch
Darin Adler
Comment 2
2020-04-25 18:06:57 PDT
Comment on
attachment 397588
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=397588&action=review
> Source/JavaScriptCore/ChangeLog:3 > + [JSC] Handle BitInt32 INT32_MIN shift amount
typo: BigInt32
> Source/JavaScriptCore/runtime/Operations.h:776 > + if (rightInt32 == INT32_MIN) { > + // Shift-amount is 0x80000000. For right-shift, shift-amount is reduced to 31. > + if (!isLeft) > + return jsBigInt32(leftInt32 >> 31); > + // Left-shift with 0x80000000 produces too large BigInt, and throws a RangeError. > + // But when leftInt32 is zero, we should return zero. > + if (!leftInt32) > + return jsBigInt32(0); > + throwRangeError(globalObject, scope, "BigInt generated from this operation is too big"_s); > + return { }; > + } > rightInt32 = -rightInt32;
Would this simpler implementation still gives us the correct result? if (rightInt32 == INT32_MIN) rightInt32 = INT32_MAX; // Shifts one less than requested, but makes no observable difference. else rightInt32 = -rightInt32; Would you consider it if it does?
Yusuke Suzuki
Comment 3
2020-04-25 18:54:21 PDT
Comment on
attachment 397588
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=397588&action=review
Thanks!
>> Source/JavaScriptCore/ChangeLog:3 >> + [JSC] Handle BitInt32 INT32_MIN shift amount > > typo: BigInt32
Ooops, fixed.
>> Source/JavaScriptCore/runtime/Operations.h:776 >> rightInt32 = -rightInt32; > > Would this simpler implementation still gives us the correct result? > > if (rightInt32 == INT32_MIN) > rightInt32 = INT32_MAX; // Shifts one less than requested, but makes no observable difference. > else > rightInt32 = -rightInt32; > > Would you consider it if it does?
Good point! Right, sounds simpler. Fixed.
Yusuke Suzuki
Comment 4
2020-04-25 18:58:19 PDT
Created
attachment 397604
[details]
Patch for landing
Yusuke Suzuki
Comment 5
2020-04-25 19:07:03 PDT
Created
attachment 397605
[details]
Patch for landing
EWS
Comment 6
2020-04-25 21:44:26 PDT
Committed
r260720
: <
https://trac.webkit.org/changeset/260720
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 397605
[details]
.
Radar WebKit Bug Importer
Comment 7
2020-04-25 21:45:26 PDT
<
rdar://problem/62380341
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug