[webkit-changes] [284573] trunk/Source/JavaScriptCore

Wed, 20 Oct 2021 14:46:00 -0700

Title: [284573] trunk/Source/_javascript_Core
Revision
284573
Author
[email protected]
Date
2021-10-20 14:45:13 -0700 (Wed, 20 Oct 2021)

Log Message

Add missing overflow checks to DFGIntegerRangeOptimizationPhase::isEquivalentTo()
https://bugs.webkit.org/show_bug.cgi?id=232024

Reviewed by Tadeu Zagallo.

Added overflow check before comparing for equality.

* dfg/DFGIntegerRangeOptimizationPhase.cpp:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (284572 => 284573)


--- trunk/Source/_javascript_Core/ChangeLog	2021-10-20 21:42:35 UTC (rev 284572)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-10-20 21:45:13 UTC (rev 284573)
@@ -1,3 +1,14 @@
+2021-10-20  Michael Saboff  <[email protected]>
+
+        Add missing overflow checks to DFGIntegerRangeOptimizationPhase::isEquivalentTo()
+        https://bugs.webkit.org/show_bug.cgi?id=232024
+
+        Reviewed by Tadeu Zagallo.
+
+        Added overflow check before comparing for equality.
+
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+
 2021-10-20  Michael Catanzaro  <[email protected]>
 
         Do not use strerror()

Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (284572 => 284573)


--- trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp	2021-10-20 21:42:35 UTC (rev 284572)
+++ trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp	2021-10-20 21:45:13 UTC (rev 284573)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -228,8 +228,17 @@
         if (*this == other)
             return true;
 
-        if (m_right->isInt32Constant() && other.m_right->isInt32Constant())
-            return (m_right->asInt32() + m_offset) == (other.m_right->asInt32() + other.m_offset);
+        if (m_right->isInt32Constant() && other.m_right->isInt32Constant()) {
+            int thisRight = m_right->asInt32();
+            int otherRight = other.m_right->asInt32();
+
+            if (sumOverflows<int>(thisRight, m_offset))
+                return false;
+            if (sumOverflows<int>(otherRight, other.m_offset))
+                return false;
+
+            return (thisRight + m_offset) == (otherRight + other.m_offset);
+        }
         return false;
     }
     

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to