64257 – Signed arithmetic bug in dataTransfer32

RESOLVED FIXED64257

Signed arithmetic bug in dataTransfer32

https://bugs.webkit.org/show_bug.cgi?id=64257

Summary Signed arithmetic bug in dataTransfer32

Gabor Loki

Reported 2011-07-11 02:24:32 PDT

There is an arithmetic bug in dataTransfer32. If the offset of dataTransfer is half of the addressable memory space on a 32-bit machine (-2147483648 = 0x80000000) a load instruction is emitted with a wrong zero offset.

Attachments
Signed arithmetic bug in dataTransfer32 (3.09 KB, patch) 2011-07-11 02:27 PDT, Gabor Loki	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gabor Loki

Comment 1 2011-07-11 02:27:13 PDT

Created attachment 100257 [details] Signed arithmetic bug in dataTransfer32

Zoltan Herczeg

Comment 2 2011-07-11 02:49:23 PDT

Comment on attachment 100257 [details] Signed arithmetic bug in dataTransfer32 Nice catch.

WebKit Review Bot

Comment 3 2011-07-11 03:31:35 PDT

Comment on attachment 100257 [details] Signed arithmetic bug in dataTransfer32 Clearing flags on attachment: 100257 Committed r90731: <http://trac.webkit.org/changeset/90731>

WebKit Review Bot

Comment 4 2011-07-11 03:31:39 PDT

All reviewed patches have been landed. Closing bug.

Alexey Proskuryakov

Comment 5 2011-07-11 10:20:18 PDT

Regression test?

Zoltan Herczeg

Comment 6 2011-07-11 10:29:48 PDT

(In reply to comment #5) > Regression test? Seemed impossible. 0x80000000 (INT_MIN) is too big offset on a 32 bit machine. This is a "theoretical" bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Other

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2011-07-11 02:24 PDT

Modified

2011-07-11 10:29 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks