Bug 205945

Summary: Instruction.h: Multiplication result converted to larger type
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, keith_miller, mark.lam, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
mark.lam: review+, msaboff: commit-queue-
Patch to try and fix Microsoft warning.
none
Patch none

Description Michael Saboff 2020-01-08 11:46:37 PST 
Summary:
Instruction.h: Multiplication result converted to larger type: Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.

    template<typename Traits = JSOpcodeTraits>
    size_t size() const
    {
        auto sizeShiftAmount = this->sizeShiftAmount<Traits>();
        auto prefixSize = sizeShiftAmount ? 1 : 0;
        auto operandSize = 1 << sizeShiftAmount;
        size_t sizeOfBytecode = 1;
        return sizeOfBytecode + (Traits::opcodeLengths[opcodeID<Traits>()] - 1) * operandSize + prefixSize;
Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.
    }

fix: Change operandSize to size_t.
Comment 1 Michael Saboff 2020-01-08 11:46:53 PST 
<rdar://problem/58383287>
Comment 2 Michael Saboff 2020-01-08 12:03:33 PST 
Created attachment 387125 [details]
Patch
Comment 3 Michael Saboff 2020-01-08 13:36:51 PST 
Comment on attachment 387125 [details]
Patch

cq- to work through Microsoft warning as error.
Comment 4 Michael Saboff 2020-01-08 13:38:27 PST 
Created attachment 387135 [details]
Patch to try and fix Microsoft warning.
Comment 5 Michael Saboff 2020-01-08 14:12:48 PST 
Created attachment 387139 [details]
Patch

Another try to silence the Microsoft compiler.
Comment 6 Yusuke Suzuki 2020-01-08 15:02:01 PST 
Comment on attachment 387139 [details]
Patch

Note that this is suppressing some of alerts, but this old code never gets overflow since

1. operandSize is either of 1, 2, or 4 (Bytecode's operand size)
2. Bytecode opcode size is statically defined and never gets overflow in the last line of this code.
Comment 7 Michael Saboff 2020-01-08 16:52:32 PST 
(In reply to Yusuke Suzuki from comment #6)
> Comment on attachment 387139 [details]
> Patch
> 
> Note that this is suppressing some of alerts, but this old code never gets
> overflow since
> 
> 1. operandSize is either of 1, 2, or 4 (Bytecode's operand size)
> 2. Bytecode opcode size is statically defined and never gets overflow in the
> last line of this code.

Agreed.
Comment 8 WebKit Commit Bot 2020-01-08 18:04:27 PST 
Comment on attachment 387139 [details]
Patch

Clearing flags on attachment: 387139

Committed r254244: <https://trac.webkit.org/changeset/254244>
Comment 9 WebKit Commit Bot 2020-01-08 18:04:29 PST 
All reviewed patches have been landed.  Closing bug.