[Webkit-unassigned] [Bug 80465] New: Integer overflow check code in arithmetic operation in classic interpreter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 6 18:04:10 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=80465

           Summary: Integer overflow check code in arithmetic operation in
                    classic interpreter
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Minor
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sg5.lee at samsung.com
                CC: fpizlo at apple.com


Classic Interpreter checks whether integer arithmetic operation will cause overflow in privateExecute().

Currently the check code is like followings:

    DEFINE_OPCODE(op_add) {
        /* add dst(r) src1(r) src2(r)

           Adds register src1 and register src2, and puts the result
           in register dst. (JS add may be string concatenation or
           numeric add, depending on the types of the operands.)
        */
        int dst = vPC[1].u.operand;
        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
        if (src1.isInt32() && src2.isInt32() && !(src1.asInt32() | (src2.asInt32() & 0xc0000000))) // no overflow            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() + src2.asInt32());
        else {
            JSValue result = jsAdd(callFrame, src1, src2);
            CHECK_FOR_EXCEPTION();
            callFrame->uncheckedR(dst) = result;
        }


I can't understand the test condition

   ... && !(src1.asInt32() | (src2.asInt32() & 0xc0000000))) // no overflow

If src1 is not zero, it would falling to else condition (jsAdd).

For simple example, both src1 and src2 is 1, it fails the condition:

   ... && !((src1.asInt32() | src2.asInt32()) & 0xc0000000))


I wonder if is a mistake, and the original intention is 

   ... && !((src1.asInt32() | src2.asInt32()) & 0xc0000000))


Please see the change in parenthesis.

If both of src1 and src2 have most two significant bits as zero, no overflow can occurs.
Although, it is conservative, but is fast and simple check.

op_sub has same condition.


I have same question about op_mul.


        if (src1.isInt32() && src2.isInt32() && !(src1.asInt32() | src2.asInt32() >> 15)) // no overflow


the test expression should be like followings:


 ... && !( (src1.asInt32() | src2.asInt32()) >> 15)) // no overflow


Please see added parenthesis. 
Since bit-shift operator's precedence is high than bit OR, parenthesis is necessary.

If both src1 and src2 have most 16 significant bits as zero, no overflow can occurs.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list