RESOLVED FIXED 223284
Fixed undefined behavior bug in Const32Value::checkNegConstant(). 
https://bugs.webkit.org/show_bug.cgi?id=223284
Summary Fixed undefined behavior bug in Const32Value::checkNegConstant().
Mark Lam
Reported 2021-03-16 15:19:32 PDT
This was causing a failure in testb3 on a release build.
Attachments
proposed patch. (3.07 KB, patch)
2021-03-16 15:22 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (2.45 KB, patch)
2021-03-16 15:55 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2021-03-16 15:22:42 PDT
Created attachment 423402 [details] proposed patch.
Darin Adler
Comment 2 2021-03-16 15:36:57 PDT
Comment on attachment 423402 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=423402&action=review > Source/JavaScriptCore/b3/B3Const32Value.cpp:109 > - if (m_value == -m_value) > + // We're using volatile temps here to force Clang to actually compute these > + // bit values and compare them. Otherwise, Clang can just assume that they > + // are not equal since the result of (m_value == -m_value) is undefined > + // behavior. > + volatile uint32_t value = m_value; > + volatile uint32_t negatedValue = -m_value; > + if (value == negatedValue) If we’re having trouble because we’re depending on undefined behavior, I suggest we select a solution that does not involve undefined behavior. Using volatile seems like the wrong workaround, since it’s depending even more on undefined behavior, other types. The way we are using here is not what volatile is for. I suggest this solution, which should work reliably: if (m_value == std::numeric_limits<int32_t>::min()) return nullptr; > Source/JavaScriptCore/b3/B3Const64Value.cpp:110 > - if (m_value == -m_value) > + // We're using volatile temps here to force Clang to actually compute these > + // bit values and compare them. Otherwise, Clang can just assume that they > + // are not equal since the result of (m_value == -m_value) is undefined > + // behavior. > + volatile uint64_t value = m_value; > + volatile uint64_t negatedValue = -m_value; > + if (value == negatedValue) > return nullptr; Same: if (m_value == std::numeric_limits<int64_t>::min()) return nullptr;
Mark Lam
Comment 3 2021-03-16 15:42:25 PDT
Comment on attachment 423402 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=423402&action=review >> Source/JavaScriptCore/b3/B3Const32Value.cpp:109 >> + if (value == negatedValue) > > If we’re having trouble because we’re depending on undefined behavior, I suggest we select a solution that does not involve undefined behavior. Using volatile seems like the wrong workaround, since it’s depending even more on undefined behavior, other types. The way we are using here is not what volatile is for. I suggest this solution, which should work reliably: > > if (m_value == std::numeric_limits<int32_t>::min()) > return nullptr; That's a great solution. I should have thought of that. Will give it a try.
Mark Lam
Comment 4 2021-03-16 15:55:56 PDT
Created attachment 423411 [details] proposed patch.
Mark Lam
Comment 5 2021-03-16 16:02:32 PDT
Comment on attachment 423411 [details] proposed patch. Thanks for the review. Landing now.
EWS
Comment 6 2021-03-16 17:10:32 PDT
Committed r274538: <https://commits.webkit.org/r274538> All reviewed patches have been landed. Closing bug and clearing flags on attachment 423411 [details].
Radar WebKit Bug Importer
Comment 7 2021-03-16 17:11:15 PDT
<rdar://problem/75502173>
Note You need to log in before you can comment on or make changes to this bug.