Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-01 22:55:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix a bunch of bugs that the fuzzers found (bug 765119, r=dvander)

Browse Source
This commit is contained in:
Marty Rosenberg 2012-10-02 04:34:28 -04:00
parent 4ec24dfa58
commit c9539d92af
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
js/src/ion/MIR.h
View File

@ -2403,7 +2403,8 @@ class MAdd : public MBinaryArithInstruction
return false; return false;
Range *left = getOperand(0)->range(); Range *left = getOperand(0)->range();
Range *right = getOperand(1)->range(); Range *right = getOperand(1)->range();
return range()->update(Range::add(left, right)); Range next = isTruncated() ? Range::addTruncate(left,right) : Range::add(left, right);
return range()->update(next);
} }
}; };
@ -2445,7 +2446,8 @@ class MSub : public MBinaryArithInstruction
return false; return false;
Range *left = getOperand(0)->range(); Range *left = getOperand(0)->range();
Range *right = getOperand(1)->range(); Range *right = getOperand(1)->range();
return range()->update(Range::sub(left, right)); Range next = isTruncated() ? Range::subTruncate(left,right) : Range::sub(left, right);
return range()->update(next);
} }
}; };

18
js/src/ion/RangeAnalysis.cpp
View File

@ -156,7 +156,7 @@ RangeAnalysis::addBetaNobes()
if (jsop == JSOP_LT) { if (jsop == JSOP_LT) {
smaller = left; smaller = left;
greater = right; greater = right;
} else if (JSOP_GT) { } else if (jsop == JSOP_GT) {
smaller = right; smaller = right;
greater = left; greater = left;
} }
@ -321,6 +321,22 @@ Range::sub(const Range *lhs, const Range *rhs)
return ret; return ret;
} }
Range
Range::addTruncate(const Range *lhs, const Range *rhs)
{
Range ret = Truncate((int64_t)lhs->lower_ + (int64_t)rhs->lower_,
(int64_t)lhs->upper_ + (int64_t)rhs->upper_);
return ret;
}
Range
Range::subTruncate(const Range *lhs, const Range *rhs)
{
Range ret = Truncate((int64_t)lhs->lower_ - (int64_t)rhs->upper_,
(int64_t)lhs->upper_ - (int64_t)rhs->lower_);
return ret;
}
Range Range
Range::and_(const Range *lhs, const Range *rhs) Range::and_(const Range *lhs, const Range *rhs)
{ {

10
js/src/ion/RangeAnalysis.h
View File

@ -88,6 +88,14 @@ class Range {
upper_(other.upper_), upper_(other.upper_),
upper_infinite_(other.upper_infinite_) upper_infinite_(other.upper_infinite_)
{} {}
static Range Truncate(int64_t l, int64_t h) {
Range ret(l,h);
if (!ret.isFinite()) {
ret.makeLowerInfinite();
ret.makeUpperInfinite();
}
return ret;
}
static int64_t abs64(int64_t x) { static int64_t abs64(int64_t x) {
#ifdef WTF_OS_WINDOWS #ifdef WTF_OS_WINDOWS
@ -110,6 +118,8 @@ class Range {
void unionWith(const Range *other); void unionWith(const Range *other);
void unionWith(RangeChangeCount *other); void unionWith(RangeChangeCount *other);
static Range intersect(const Range *lhs, const Range *rhs, bool *nullRange); static Range intersect(const Range *lhs, const Range *rhs, bool *nullRange);
static Range addTruncate(const Range *lhs, const Range *rhs);
static Range subTruncate(const Range *lhs, const Range *rhs);
static Range add(const Range *lhs, const Range *rhs); static Range add(const Range *lhs, const Range *rhs);
static Range sub(const Range *lhs, const Range *rhs); static Range sub(const Range *lhs, const Range *rhs);
static Range mul(const Range *lhs, const Range *rhs); static Range mul(const Range *lhs, const Range *rhs);