64257 – Signed arithmetic bug in dataTransfer32

Bug 64257 - Signed arithmetic bug in dataTransfer32

Summary: Signed arithmetic bug in dataTransfer32

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Other All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-11 02:24 PDT by Gabor Loki
Modified:	2011-07-11 10:29 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Signed arithmetic bug in dataTransfer32 (3.09 KB, patch) 2011-07-11 02:27 PDT, Gabor Loki	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabor Loki 2011-07-11 02:24:32 PDT

There is an arithmetic bug in dataTransfer32.

If the offset of dataTransfer is half of the addressable memory space on a 32-bit machine (-2147483648 = 0x80000000) a load instruction is emitted with a wrong zero offset.

Comment 1 Gabor Loki 2011-07-11 02:27:13 PDT

Created attachment 100257 [details]
Signed arithmetic bug in dataTransfer32

Comment 2 Zoltan Herczeg 2011-07-11 02:49:23 PDT

Comment on attachment 100257 [details]
Signed arithmetic bug in dataTransfer32

Nice catch.

Comment 3 WebKit Review Bot 2011-07-11 03:31:35 PDT

Comment on attachment 100257 [details]
Signed arithmetic bug in dataTransfer32

Clearing flags on attachment: 100257

Committed r90731: <http://trac.webkit.org/changeset/90731>

Comment 4 WebKit Review Bot 2011-07-11 03:31:39 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 Alexey Proskuryakov 2011-07-11 10:20:18 PDT

Regression test?

Comment 6 Zoltan Herczeg 2011-07-11 10:29:48 PDT

(In reply to comment #5)
> Regression test?

Seemed impossible. 0x80000000 (INT_MIN) is too big offset on a 32 bit machine. This is a "theoretical" bug.