wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

[INFER] Avoid (unreachable) integer overflow when setting holes in dense arrays, bug 642592.

Browse Source
This commit is contained in:
Brian Hackett 2011-03-19 10:31:36 -07:00
parent 545818365f
commit 55652ce0ff
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
js/src/jit-test/tests/basic/bug642592.js Normal file
View File

@ -0,0 +1,2 @@
var strings = new Array();
strings[0x7fffffff] = 0;

6
js/src/methodjit/FastOps.cpp
View File

@ -1095,8 +1095,12 @@ IsCacheableSetElem(FrameEntry *obj, FrameEntry *id, FrameEntry *value)
return false;
if (id->isNotType(JSVAL_TYPE_INT32))
return false;
if (id->isConstant() && id->getValue().toInt32() < 0)
if (id->isConstant()) {
if (id->getValue().toInt32() < 0)
return false;
if (id->getValue().toInt32() + 1 < 0) // watch for overflow in hole paths
return false;
}
// obj[obj] * is not allowed, since it will never optimize.
// obj[id] = id is allowed.