Bug 232058 - Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()
Summary: Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-10-20 17:23 PDT by Michael Saboff
Modified: 2021-10-21 16:02 PDT (History)
7 users (show)

See Also:

Attachments
Patch (1.29 KB, patch)
2021-10-20 17:27 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2021-10-20 17:23:37 PDT 
From code review, it appears that an overflow check is needed when creating a more specific Relationship.

Consider the current code:
   ...
        if (sumOverflows<int>(otherRight, other.m_offset))
            return *this;

        int otherEffectiveRight = otherRight + other.m_offset;

        switch (other.m_kind) {
        case Equal:
            // Return a version of *this that is Equal to other's constant.
            return Relationship(m_left, m_right, Equal, otherEffectiveRight - thisRight);
    ...

We check if other's value + offset overflows, but what about the case where otherEffectiveRight - thisRight might overflow?
Comment 1 Michael Saboff 2021-10-20 17:24:01 PDT 
<rdar://84375007>
Comment 2 Michael Saboff 2021-10-20 17:27:11 PDT 
Created attachment 441964 [details]
Patch
Comment 3 Robin Morisset 2021-10-20 17:37:20 PDT 
Comment on attachment 441964 [details]
Patch

r=me
Comment 4 EWS 2021-10-21 10:54:55 PDT 
Committed r284623 (243344@main): <https://commits.webkit.org/243344@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 441964 [details].