Fix a few potential integer negation overflows

AFAICT none of these can actually be triggered currently; but it's still good to harden the code a little. Review URL: https://codereview.chromium.org/1058533007 Cr-Commit-Position: refs/heads/master@{#27848}

Fix a few potential integer negation overflows
AFAICT none of these can actually be triggered currently; but it's still good to harden the code a little. Review URL: https://codereview.chromium.org/1058533007 Cr-Commit-Position: refs/heads/master@{#27848}
e02807ee · jkummerow · Commit bot · 8da9252f · e02807ee · e02807ee
Commit e02807ee authored Apr 15, 2015 by jkummerow Committed by Commit bot Apr 15, 2015
8 changed files
--- a/src/arm/assembler-arm.cc
+++ b/src/arm/assembler-arm.cc
@@ -2209,6 +2209,7 @@ void Assembler::vldr(const DwVfpRegister dst,
  // Vd(15-12) | 1011(11-8) | offset
  int u = 1;
  if (offset < 0) {
+    CHECK(offset != kMinInt);
    offset = -offset;
    u = 0;
  }
@@ -2305,6 +2306,7 @@ void Assembler::vstr(const DwVfpRegister src,
  // Vd(15-12) | 1011(11-8) | (offset/4)
  int u = 1;
  if (offset < 0) {
+    CHECK(offset != kMinInt);
    offset = -offset;
    u = 0;
  }
@@ -2353,6 +2355,7 @@ void Assembler::vstr(const SwVfpRegister src,
  // Vdst(15-12) | 1010(11-8) | (offset/4)
  int u = 1;
  if (offset < 0) {
+    CHECK(offset != kMinInt);
    offset = -offset;
    u = 0;
  }

--- a/src/arm/lithium-codegen-arm.cc
+++ b/src/arm/lithium-codegen-arm.cc
@@ -3209,7 +3209,6 @@ void LCodeGen::DoLoadKeyedExternalArray(LLoadKeyed* instr) {
      elements_kind == FLOAT32_ELEMENTS ||
      elements_kind == EXTERNAL_FLOAT64_ELEMENTS ||
      elements_kind == FLOAT64_ELEMENTS) {
-    int base_offset = instr->base_offset();
    DwVfpRegister result = ToDoubleRegister(instr->result());
    Operand operand = key_is_constant
        ? Operand(constant_key << element_size_shift)

--- a/src/arm64/lithium-codegen-arm64.cc
+++ b/src/arm64/lithium-codegen-arm64.cc
@@ -4317,7 +4317,7 @@ void LCodeGen::DoMulConstIS(LMulConstIS* instr) {
  Register left =
      is_smi ? ToRegister(instr->left()) : ToRegister32(instr->left()) ;
  int32_t right = ToInteger32(instr->right());
-  DCHECK((right > -kMaxInt) || (right < kMaxInt));
+  DCHECK((right > -kMaxInt) && (right < kMaxInt));

  bool can_overflow = instr->hydrogen()->CheckFlag(HValue::kCanOverflow);
  bool bailout_on_minus_zero =

--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -2899,6 +2899,8 @@ Object* FrameDescription::GetExpression(int index) {


 void TranslationBuffer::Add(int32_t value, Zone* zone) {
+  // This wouldn't handle kMinInt correctly if it ever encountered it.
+  DCHECK(value != kMinInt);
  // Encode the sign bit in the least significant bit.
  bool is_negative = (value < 0);
  uint32_t bits = ((is_negative ? -value : value) << 1) |

--- a/src/hydrogen-dehoist.cc
+++ b/src/hydrogen-dehoist.cc
@@ -27,17 +27,18 @@ static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
  }

  if (!constant->HasInteger32Value()) return;
+  v8::base::internal::CheckedNumeric<int32_t> checked_value =
+      constant->Integer32Value();
  int32_t sign = binary_operation->IsSub() ? -1 : 1;
-  int32_t value = constant->Integer32Value() * sign;
-  if (value < 0) return;
+  checked_value = checked_value * sign;

  // Multiply value by elements size, bailing out on overflow.
  int32_t elements_kind_size =
      1 << ElementsKindToShiftSize(array_operation->elements_kind());
-  v8::base::internal::CheckedNumeric<int32_t> multiply_result = value;
-  multiply_result = multiply_result * elements_kind_size;
-  if (!multiply_result.IsValid()) return;
-  value = multiply_result.ValueOrDie();
+  checked_value = checked_value * elements_kind_size;
+  if (!checked_value.IsValid()) return;
+  int32_t value = checked_value.ValueOrDie();
+  if (value < 0) return;

  // Ensure that the array operation can add value to existing base offset
  // without overflowing.

--- a/src/hydrogen-instructions.cc
+++ b/src/hydrogen-instructions.cc
@@ -2230,7 +2230,9 @@ int32_t InductionVariableData::ComputeIncrement(HPhi* phi,
    HSub* operation = HSub::cast(phi_operand);
    if (operation->left() == phi &&
        operation->right()->IsInteger32Constant()) {
-      return -operation->right()->GetInteger32Constant();
+      int constant = operation->right()->GetInteger32Constant();
+      if (constant == kMinInt) return 0;
+      return -constant;
    }
  }


--- a/src/mips/lithium-codegen-mips.cc
+++ b/src/mips/lithium-codegen-mips.cc
@@ -3141,7 +3141,6 @@ void LCodeGen::DoLoadKeyedExternalArray(LLoadKeyed* instr) {
      elements_kind == FLOAT32_ELEMENTS ||
      elements_kind == EXTERNAL_FLOAT64_ELEMENTS ||
      elements_kind == FLOAT64_ELEMENTS) {
-    int base_offset = instr->base_offset();
    FPURegister result = ToDoubleRegister(instr->result());
    if (key_is_constant) {
      __ Addu(scratch0(), external_pointer, constant_key << element_size_shift);

--- a/src/mips64/lithium-codegen-mips64.cc
+++ b/src/mips64/lithium-codegen-mips64.cc
@@ -3156,7 +3156,6 @@ void LCodeGen::DoLoadKeyedExternalArray(LLoadKeyed* instr) {
      elements_kind == FLOAT32_ELEMENTS ||
      elements_kind == EXTERNAL_FLOAT64_ELEMENTS ||
      elements_kind == FLOAT64_ELEMENTS) {
-    int base_offset = instr->base_offset();
    FPURegister result = ToDoubleRegister(instr->result());
    if (key_is_constant) {
      __ Daddu(scratch0(), external_pointer,