RESOLVED FIXED232058
Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant() 
https://bugs.webkit.org/show_bug.cgi?id=232058
Summary Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()
Michael Saboff
Reported 2021-10-20 17:23:37 PDT
From code review, it appears that an overflow check is needed when creating a more specific Relationship. Consider the current code: ... if (sumOverflows<int>(otherRight, other.m_offset)) return *this; int otherEffectiveRight = otherRight + other.m_offset; switch (other.m_kind) { case Equal: // Return a version of *this that is Equal to other's constant. return Relationship(m_left, m_right, Equal, otherEffectiveRight - thisRight); ... We check if other's value + offset overflows, but what about the case where otherEffectiveRight - thisRight might overflow?
Attachments
Patch (1.29 KB, patch)
2021-10-20 17:27 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2021-10-20 17:24:01 PDT
<rdar://84375007>
Michael Saboff
Comment 2 2021-10-20 17:27:11 PDT
Created attachment 441964 [details] Patch
Robin Morisset
Comment 3 2021-10-20 17:37:20 PDT
Comment on attachment 441964 [details] Patch r=me
EWS
Comment 4 2021-10-21 10:54:55 PDT
Committed r284623 (243344@main): <https://commits.webkit.org/243344@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441964 [details].
Note You need to log in before you can comment on or make changes to this bug.