Closed Bug 998167 Opened 11 years ago Closed 11 years ago

Fix signed integer overflow in EvaluateConstantOperands

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla31

People

(Reporter: sunfish, Assigned: sunfish)

Details

Attachments

(1 file)

vn-undefined-behavior.patch 11 years ago Dan Gohman [:sunfish] 1.43 KB, patch	nbp : review+	Details \| Diff \| Splinter Review

Dan Gohman [:sunfish]

Assignee

Description

•

11 years ago

The code in EvaluateConstantOperands for folding an Lsh operator uses a signed left shift. This invokes undefined behavior if the computation overflows.

Dan Gohman [:sunfish]

Assignee

Comment 1

•

11 years ago

Attached patch vn-undefined-behavior.patch — Details — Splinter Review

This patch changes Lsh to use an unsigned shift instead of a signed shift to fix the undefined behavior, and also tidies up the Ursh case to look similar.

Assignee: nobody → sunfish

Attachment #8408725 - Flags: review?(nicolas.b.pierron)

Nicolas B. Pierron [:nbp]

Updated

•

11 years ago

Attachment #8408725 - Flags: review?(nicolas.b.pierron) → review+

Ryan VanderMeulen [:RyanVM]

Comment 2

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/76e21dbec835

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla31

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Fix signed integer overflow in EvaluateConstantOperands

Categories

(Core :: JavaScript Engine: JIT, enhancement)

Tracking

()

People

(Reporter: sunfish, Assigned: sunfish)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Attachment

General

Description

File Name

Content Type