[Webkit-unassigned] [Bug 196911] New: DFG IntegerRangeOptimizationPhase fails to optimize the situation when ArithAdd node's second child is a negative constant.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 15 00:28:04 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196911
Bug ID: 196911
Summary: DFG IntegerRangeOptimizationPhase fails to optimize
the situation when ArithAdd node's second child is a
negative constant.
Product: WebKit
Version: Safari 12
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jundong.xjd at antfin.com
In DFGIntegerRangeOptimizationPhase, the `executeNode` function fails to correctly deal with ArithAdd node when node's second child is a negative constant.
```
case ArithAdd: {
...
int offset = node->child2()->asInt32();
...
if (offset < 0 && offset != std::numeric_limits<int>::min()) {
// If we have "add: @value - 1" then we know that @value >= min + 1, i.e. that
// @value > min.
if (!sumOverflows<int>(std::numeric_limits<int>::min(), offset, -1)) { <-- this line definitely returns false because intMin plus two negative value definitely overflows!
setRelationship(
Relationship::safeCreate(
node->child1().node(), m_zero, Relationship::GreaterThan,
std::numeric_limits<int>::min() + offset - 1),
0);
}
// If we have "add: @value + 1" then we know that @add <= max - 1, i.e. that
// @add < max.
if (!sumOverflows<int>(std::numeric_limits<int>::max(), -offset, 1)) { <-- intMax plus two positive value definitely overflows!
setRelationship(
Relationship(
node, m_zero, Relationship::LessThan,
std::numeric_limits<int>::max() - offset + 1),
0);
}
}
break;
}
```
If the offset is negative, we have add: @value - C, then we know @value >= min + C, @value > min + C - 1. C equals -offset, so final expression should be @value > min - offset - 1.
If the offset is negative, we have add: @value - C, then we know @add <= max - C, @add < max - C + 1. C equals -offset, so final expression should be @add < max + offset + 1.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190415/54a8aa90/attachment-0001.html>
More information about the webkit-unassigned
mailing list