Closed Bug 811122 Opened 12 years ago Closed 11 years ago

Signed integer overflow in js::AddOperation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [-fsanitize=signed-integer-overflow])

Attachments

(1 file)

Patch
1.22 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following code in js/src/jspipelines.h performs unchecked addition of two signed integers (which can actually be large enough to overflow):

> static JS_ALWAYS_INLINE bool
> AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc, 
> const Value &lhs, const Value &rhs, Value *res)
> {
>     if (lhs.isInt32() && rhs.isInt32()) {
>         int32_t l = lhs.toInt32(), r = rhs.toInt32();
>         int32_t sum = l + r;


This won't lead to an immediate failure here, but signed integer overflowing is not defined according to the C standard and should not be used (INT32-C, CERT Secure Coding Standard).

jandem suggested earlier to use

> int32_t sum = uint32_t(l) + uint32_t(r);

instead but also mentioned it could be that SubOperation exhibits the same problem. That method however seems to be using doubles instead of integers, and then seems to check for NaN as result of an overflow.
Whiteboard: [-fsanitize=signed-integer-overflow]
Needinfo from Jandem (if you're not the right person, please forward to someone else, e.g. Waldo): We're trying to get rid of signed integer overflows. They are not only bad in theory, but GCC can also perform bad optimizations based on such overflows just by assuming they don't happen.

Is it possible to get a fix here? Maybe the one suggested by jandem?
Flags: needinfo?(jdemooij)
Blocks: 919486
Attached patch PatchSplinter Review 
This patch just uses double addition + setNumber. It looks simpler and with the JITs this is not performance critical. SubOperation already uses double arithmetic.

(Bug 915763 will remove the MonitorOverflow call completely.)
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #810534 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #810534 - Flags: review?(bhackett1024) → review+
If it's not performance critical we could change it to:

if (isNumber && isNumber) { toNumber () + toNumber() }
https://hg.mozilla.org/mozilla-central/rev/14ad832ecbcd
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: