[webkit-changes] [222981] trunk/Source/JavaScriptCore

[rmorisset]

Title: [222981] trunk/Source/_javascript_Core

Revision

222981

Author

rmoris...@apple.com

Date

2017-10-06 09:33:42 -0700 (Fri, 06 Oct 2017)

Log Message

Avoid integer overflow in DFGStrengthReduction.cpp
https://bugs.webkit.org/show_bug.cgi?id=177944

Reviewed by Saam Barati.

The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (222980 => 222981)

--- trunk/Source/_javascript_Core/ChangeLog	2017-10-06 16:20:04 UTC (rev 222980)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-10-06 16:33:42 UTC (rev 222981)
@@ -1,3 +1,16 @@
+2017-10-06  Robin Morisset  <rmoris...@apple.com>
+
+        Avoid integer overflow in DFGStrengthReduction.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=177944
+
+        Reviewed by Saam Barati.
+
+        The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
+        I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
 2017-10-05  Keith Miller  <keith_mil...@apple.com>
 
         JSC generate unified sources doesn't need to run during installhdrs.

Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (222980 => 222981)

--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2017-10-06 16:20:04 UTC (rev 222980)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2017-10-06 16:33:42 UTC (rev 222981)
@@ -155,7 +155,7 @@
             if (m_node->child2()->isInt32Constant()
                 && m_node->isBinaryUseKind(Int32Use)) {
                 int32_t value = m_node->child2()->asInt32();
-                if (-value != value) {
+                if (value != INT32_MIN) {
                     m_node->setOp(ArithAdd);
                     m_node->child2().setNode(
                         m_insertionSet.insertConstant(

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes