[ubsan] Fix integer overflow in compiler

Negating the maximum int32 failed in ubsan. Use {base::NegateWithWraparound} to avoid UB. R=jkummerow@chromium.org Bug: chromium:980007 Change-Id: If52a3bb3158eb5b465e7bd29deaffc0b18660360 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683993Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#62470}

[ubsan] Fix integer overflow in compiler
Negating the maximum int32 failed in ubsan. Use {base::NegateWithWraparound} to avoid UB. R=jkummerow@chromium.org Bug: chromium:980007 Change-Id: If52a3bb3158eb5b465e7bd29deaffc0b18660360 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683993Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#62470}
a420d20c · Clemens Hammacher · Commit Bot · f03430fe · a420d20c · a420d20c
Commit a420d20c authored Jul 01, 2019 by Clemens Hammacher Committed by Commit Bot Jul 01, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletion

instruction-selector-x64.cc src/compiler/backend/x64/instruction-selector-x64.cc +2 -1

regress-980007.js test/mjsunit/regress/wasm/regress-980007.js +14 -0

No files found.
--- a/src/compiler/backend/x64/instruction-selector-x64.cc
+++ b/src/compiler/backend/x64/instruction-selector-x64.cc
@@ -898,7 +898,8 @@ void InstructionSelector::VisitInt32Sub(Node* node) {
      // Omit truncation and turn subtractions of constant values into immediate
      // "leal" instructions by negating the value.
      Emit(kX64Lea32 | AddressingModeField::encode(kMode_MRI),
-           g.DefineAsRegister(node), int64_input, g.TempImmediate(-imm));
+           g.DefineAsRegister(node), int64_input,
+           g.TempImmediate(base::NegateWithWraparound(imm)));
    }
    return;
  }

--- a/test/mjsunit/regress/wasm/regress-980007.js
+++ b/test/mjsunit/regress/wasm/regress-980007.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addFunction(undefined, kSig_i_i).addBody([
+  kExprI64Const, 0x01,
+  kExprI32ConvertI64,
+  kExprI32Const, 0x80, 0x80, 0x80, 0x80, 0x78,
+  kExprI32Sub,
+]);
+builder.instantiate();