Skip to site navigation (Press enter)

[webkit-changes] [223518] releases/WebKitGTK/webkit-2.18/Source/JavaScriptCore

carlosgc Tue, 17 Oct 2017 04:37:33 -0700

Title: [223518] releases/WebKitGTK/webkit-2.18/Source/_javascript_Core

Revision: 223518
Author: [email protected]
Date: 2017-10-17 04:36:56 -0700 (Tue, 17 Oct 2017)

Log Message

Merge r222981 - Avoid integer overflow in DFGStrengthReduction.cpp
https://bugs.webkit.org/show_bug.cgi?id=177944


Reviewed by Saam Barati.

The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

Modified Paths

releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (223517 => 223518)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-10-17 11:35:50 UTC (rev 223517)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-10-17 11:36:56 UTC (rev 223518)
@@ -1,3 +1,16 @@
+2017-10-06  Robin Morisset  <[email protected]>
+
+        Avoid integer overflow in DFGStrengthReduction.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=177944
+
+        Reviewed by Saam Barati.
+
+        The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
+        I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
 2017-10-05  Carlos Alberto Lopez Perez  <[email protected]>
 
         Generate a compile error if release is built without compiler optimizations

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (223517 => 223518)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2017-10-17 11:35:50 UTC (rev 223517)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2017-10-17 11:36:56 UTC (rev 223518)
@@ -155,7 +155,7 @@
             if (m_node->child2()->isInt32Constant()
                 && m_node->isBinaryUseKind(Int32Use)) {
                 int32_t value = m_node->child2()->asInt32();
-                if (-value != value) {
+                if (value != INT32_MIN) {
                     m_node->setOp(ArithAdd);
                     m_node->child2().setNode(
                         m_insertionSet.insertConstant(

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes