Bug 811122 - Use double addition in AddOperation to avoid signed integer overflow. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 26 Sep 2013 16:27:18 +0200
changeset 148810 14ad832ecbcd5cbf6d9173a29a6afd98f9f38fab
parent 148809 6a99a44e4b184be341b5b9d9a2b6607aac620a17
child 148811 7f6a64558d029276644996b44487bcba980c8b86
push id34342
push userjandemooij@gmail.com
push dateThu, 26 Sep 2013 14:30:35 +0000
treeherdermozilla-inbound@14ad832ecbcd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs811122
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 811122 - Use double addition in AddOperation to avoid signed integer overflow. r=bhackett
js/src/vm/Interpreter.cpp
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -1074,23 +1074,19 @@ ComputeImplicitThis(JSContext *cx, Handl
 }
 
 static JS_ALWAYS_INLINE bool
 AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc,
              MutableHandleValue lhs, MutableHandleValue rhs, Value *res)
 {
     if (lhs.isInt32() && rhs.isInt32()) {
         int32_t l = lhs.toInt32(), r = rhs.toInt32();
-        int32_t sum = l + r;
-        if (JS_UNLIKELY(bool((l ^ sum) & (r ^ sum) & 0x80000000))) {
-            res->setDouble(double(l) + double(r));
+        double d = double(l) + double(r);
+        if (!res->setNumber(d))
             types::TypeScript::MonitorOverflow(cx, script, pc);
-        } else {
-            res->setInt32(sum);
-        }
         return true;
     }
 
     /*
      * If either operand is an object, any non-integer result must be
      * reported to inference.
      */
     bool lIsObject = lhs.isObject(), rIsObject = rhs.isObject();