Closed Bug 1235041 Opened 9 years ago Closed 8 years ago

[Static Analysis][Unintentional integer overflow] In functions GCSchedulingTunables::setParameter and GCRuntime::setParameter from jsgc.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1345642 )

Attachments

(1 file)

Bug 1235041.diff
2.29 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The Static Analysis tool Coverity added that there could be uintentional integer overflow in:

>>        break;
>>      case JSGC_DECOMMIT_THRESHOLD:
>>        decommitThreshold = value * 1024 * 1024;
>>        break;

and 

>>      case JSGC_HIGH_FREQUENCY_LOW_LIMIT:
>>        highFrequencyLowLimitBytes_ = value * 1024 * 1024;
>>        if (highFrequencyLowLimitBytes_ >= highFrequencyHighLimitBytes_)
>>            highFrequencyHighLimitBytes_ = highFrequencyLowLimitBytes_ + 1;
>>        MOZ_ASSERT(highFrequencyHighLimitBytes_ > highFrequencyLowLimitBytes_);
>>        break;
>>      case JSGC_HIGH_FREQUENCY_HIGH_LIMIT:
>>        MOZ_ASSERT(value > 0);
>>        highFrequencyHighLimitBytes_ = value * 1024 * 1024;

This can happen when value >= 2^12 since the result, for this we should cast value to uint64_t
Attached patch Bug 1235041.diffSplinter Review 

        Attachment #8701803 -
        Flags: review?(jorendorff)

    
    

    
  
Comment on attachment 8701803 [details] [diff] [review]
Bug 1235041.diff

Review of attachment 8701803 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks for the patch!

        Attachment #8701803 -
        Flags: review?(jorendorff) → review+

    
  
Keywords: checkin-needed
Blocks: 1236564

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c4e6bdadd2c2
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox46:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: