[Webkit-unassigned] [Bug 104967] javascript integer overflow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 17 14:05:33 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=104967





--- Comment #1 from Filip Pizlo <fpizlo at apple.com>  2012-12-17 14:07:50 PST ---
(In reply to comment #0)
> I stumbled upon a case where it appears that JavaScriptCore's JIT is incorrectly assuming an int32 suffices for a variable that represents a numerical sum.  When the sum grows beyond 2^32-1, the value overflows as if 2^32 were subtracted.  When I enable Web Inspector, the bug goes away, which I why I suspect the JIT compiler's at fault.
> 
> I'm on Mac OS 10.7, and I can reproduce the bug consistently on the release version of Safari -- 6.0.2 (7536.26.17) -- as well as on the latest WebKit nightly build.  The bug does NOT affect Safari 5.
> 
> Here's a demonstration: http://jsfiddle.net/T86va/

Thanks for reporting this!  Seems like a bug creeped into our backwards flow analysis: we always knew that putting a scoped var ('total' is a scoped var in the context of 'total += num') constituted a value escaping, but the format of the PutScopedVar opcode was changed so that the value being put became operand #3 - but the backward flow analysis wasn't updated.

This goes wrong because our backward flow analysis tried to optimize situations like:

total = (total + num) | 0;

In this case, we know that we don't have to detect overflow on 'total + num' because the only user of the plus will truncate to integer anyway.

On the other hand, what is supposed to happen for:

total = total + num;

is that we observe that 'total + num' is used in a context where the value count be observed in an unconstrained way, since 'total' is a scoped variable and is accessible from places not visible to us at time of compilation.  But it's this part that was broken because of the backward flow bug.

Hence we were assuming that:

- Setting total didn't cause the value to escape (because of the bug).
- The act of setting total does not by itself observe fractional or bigger-than-int values (technically, this is true).
- We could perform the integer add without checking overflow because of the above two assumptions.

The fix is just to make sure that the backward flow analysis is updated to treat the operands of PutScopedVar correctly, and flow the fact that child3 (the value being put) is UsedAsValue (i.e. could be used for we-don't-know-what).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list