Skip to content

Commit b3009cc

Browse files
schuayCommit Bot
schuay
authored and
Commit Bot
committed
[typedarray] Fix signed-ness of pointer comparisons
While the affect values must be valid addresses & thus will not overflow the IntPtr type, they need to be interpreted as unsigned in comparisons. Bug: chromium:792549, v8:7123, v8:3590 Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0 Reviewed-on: https://chromium-review.googlesource.com/814395 Commit-Queue: Peter Marshall <[email protected]> Reviewed-by: Peter Marshall <[email protected]> Cr-Commit-Position: refs/heads/master@{#49937}
1 parent 41f9282 commit b3009cc

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

src/builtins/builtins-typedarray-gen.cc

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -799,7 +799,7 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource(
799799
// means we're safe from overflows in the following multiplication.
800800
TNode<IntPtrT> source_byte_length = IntPtrMul(source_length, source_el_size);
801801
CSA_ASSERT(this,
802-
IntPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0)));
802+
UintPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0)));
803803

804804
Label call_memmove(this), fast_c_call(this), out(this);
805805

@@ -825,17 +825,17 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource(
825825

826826
TNode<IntPtrT> target_byte_length =
827827
IntPtrMul(target_length, target_el_size);
828-
CSA_ASSERT(this,
829-
IntPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0)));
828+
CSA_ASSERT(
829+
this, UintPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0)));
830830

831831
TNode<IntPtrT> target_data_end_ptr =
832832
IntPtrAdd(target_data_ptr, target_byte_length);
833833
TNode<IntPtrT> source_data_end_ptr =
834834
IntPtrAdd(source_data_ptr, source_byte_length);
835835

836836
GotoIfNot(
837-
Word32Or(IntPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr),
838-
IntPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)),
837+
Word32Or(UintPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr),
838+
UintPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)),
839839
call_runtime);
840840

841841
TNode<IntPtrT> source_length =

0 commit comments

Comments
 (0)