[Webkit-unassigned] [Bug 196911] New: DFG IntegerRangeOptimizationPhase fails to optimize the situation when ArithAdd node's second child is a negative constant.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 15 00:28:04 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=196911

            Bug ID: 196911
           Summary: DFG IntegerRangeOptimizationPhase fails to optimize
                    the situation when ArithAdd node's second child is a
                    negative constant.
           Product: WebKit
           Version: Safari 12
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jundong.xjd at antfin.com

In DFGIntegerRangeOptimizationPhase, the `executeNode` function fails to correctly deal with ArithAdd node when node's second child is a negative constant.
```
case ArithAdd: {
            ...

            int offset = node->child2()->asInt32();

            ...


            if (offset < 0 && offset != std::numeric_limits<int>::min()) {
                // If we have "add: @value - 1" then we know that @value >= min + 1, i.e. that
                // @value > min.
                if (!sumOverflows<int>(std::numeric_limits<int>::min(), offset, -1)) { <-- this line definitely returns false because intMin plus two negative value definitely overflows!
                    setRelationship(
                        Relationship::safeCreate(
                            node->child1().node(), m_zero, Relationship::GreaterThan,
                            std::numeric_limits<int>::min() + offset - 1),
                        0);
                }

                // If we have "add: @value + 1" then we know that @add <= max - 1, i.e. that
                // @add < max.
                if (!sumOverflows<int>(std::numeric_limits<int>::max(), -offset, 1)) { <-- intMax plus two positive value definitely overflows!
                    setRelationship(
                        Relationship(
                            node, m_zero, Relationship::LessThan,
                            std::numeric_limits<int>::max() - offset + 1),
                        0);
                }
            }
            break;
        }
```
If the offset is negative, we have add: @value - C, then we know @value >= min + C, @value > min + C - 1. C equals -offset, so final expression should be @value > min - offset - 1.
If the offset is negative, we have add: @value - C, then we know @add <= max - C, @add < max - C + 1. C equals -offset, so final expression should be @add < max + offset + 1.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190415/54a8aa90/attachment-0001.html>

More information about the webkit-unassigned mailing list