Closed Bug 1235041 Opened 4 years ago Closed 4 years ago

[Static Analysis][Unintentional integer overflow] In functions GCSchedulingTunables::setParameter and GCRuntime::setParameter from jsgc.cpp

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1345642 )

Attachments

(1 file)

The Static Analysis tool Coverity added that there could be uintentional integer overflow in:

>>        break;
>>      case JSGC_DECOMMIT_THRESHOLD:
>>        decommitThreshold = value * 1024 * 1024;
>>        break;

and 

>>      case JSGC_HIGH_FREQUENCY_LOW_LIMIT:
>>        highFrequencyLowLimitBytes_ = value * 1024 * 1024;
>>        if (highFrequencyLowLimitBytes_ >= highFrequencyHighLimitBytes_)
>>            highFrequencyHighLimitBytes_ = highFrequencyLowLimitBytes_ + 1;
>>        MOZ_ASSERT(highFrequencyHighLimitBytes_ > highFrequencyLowLimitBytes_);
>>        break;
>>      case JSGC_HIGH_FREQUENCY_HIGH_LIMIT:
>>        MOZ_ASSERT(value > 0);
>>        highFrequencyHighLimitBytes_ = value * 1024 * 1024;

This can happen when value >= 2^12 since the result, for this we should cast value to uint64_t
Attached patch Bug 1235041.diffSplinter Review
Attachment #8701803 - Flags: review?(jorendorff)
Comment on attachment 8701803 [details] [diff] [review]
Bug 1235041.diff

Review of attachment 8701803 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks for the patch!
Attachment #8701803 - Flags: review?(jorendorff) → review+
Keywords: checkin-needed
Blocks: 1236564
https://hg.mozilla.org/mozilla-central/rev/c4e6bdadd2c2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.