223697 2021-03-24 10:05:10 -0700 Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65537 * 65537 cannot be represented in type 'int' 2021-03-24 12:31:15 -0700 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=176131 InRadar P2 Normal --- 1 cdumez cdumez bfulgham darin ggaren sam simon.fraser webkit-bug-importer zalan oldest_to_newest 1743370 0 cdumez 2021-03-24 10:05:10 -0700 Fix bug found by UBSan: - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65537 * 65537 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65536 * 65536 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 1116300 * 558150 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' 1743373 1 424150 cdumez 2021-03-24 10:13:40 -0700 Created attachment 424150 Patch 1743379 2 424150 darin 2021-03-24 10:20:50 -0700 Comment on attachment 424150 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424150&action=review > Source/WebCore/ChangeLog:13 > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' Surprised that we are computing area of sizes that have negative width or height. > Source/WebCore/page/FrameView.h:994 > + if (UNLIKELY(area.hasOverflowed())) Makes me wish Checked had a "saturation" mode so we didn’t have to write such extensive code. 1743380 3 cdumez 2021-03-24 10:21:55 -0700 (In reply to Darin Adler from comment #2) > Comment on attachment 424150 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=424150&action=review > > > Source/WebCore/ChangeLog:13 > > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' > > Surprised that we are computing area of sizes that have negative width or > height. I suspect the values may already overflowed before this function call. > > > Source/WebCore/page/FrameView.h:994 > > + if (UNLIKELY(area.hasOverflowed())) > > Makes me wish Checked had a "saturation" mode so we didn’t have to write > such extensive code. 1743397 4 zalan 2021-03-24 10:36:21 -0700 no test case? I am curios how we end up with negative size here. 1743398 5 darin 2021-03-24 10:37:49 -0700 I believe the test case is "our entire regression test suite run when WebKit is compiled with UBSan". 1743399 6 cdumez 2021-03-24 10:38:07 -0700 (In reply to zalan from comment #4) > no test case? I am curios how we end up with negative size here. The UBSan warnings are triggered by our test suite so the values showed in the errors should already be covered by our test suite. 1743401 7 cdumez 2021-03-24 10:38:53 -0700 (In reply to zalan from comment #4) > no test case? I am curios how we end up with negative size here. I believe you should be able to add assertions then run the test suite and hopefully find out :) 1743402 8 zalan 2021-03-24 10:39:31 -0700 (In reply to Chris Dumez from comment #6) > (In reply to zalan from comment #4) > > no test case? I am curios how we end up with negative size here. > > The UBSan warnings are triggered by our test suite so the values showed in > the errors should already be covered by our test suite. Can we figure out what test triggered this? This may have correctness implications as well. 1743403 9 zalan 2021-03-24 10:39:41 -0700 (In reply to Chris Dumez from comment #7) > (In reply to zalan from comment #4) > > no test case? I am curios how we end up with negative size here. > > I believe you should be able to add assertions then run the test suite and > hopefully find out :) ok 1743470 10 ews-feeder 2021-03-24 12:30:17 -0700 Committed r274958: <https://commits.webkit.org/r274958> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424150. 1743474 11 webkit-bug-importer 2021-03-24 12:31:15 -0700 <rdar://problem/75799187> 424150 2021-03-24 10:13:40 -0700 2021-03-24 12:30:18 -0700 Patch bug-223697-20210324101339.patch text/plain 2371 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjc0OTQxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYjQwMWQ3MzZiZWY2M2M5 YzNlODQ1N2E3ZjdiNDliMDA5OTBjZjNhMS4uMzZjYmZmNDc1NTlhMTRjYzhiZGE4OWJjYWFiYzc4 NzE2MjM2Y2RjNyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIwIEBACisyMDIxLTAzLTI0ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgU291cmNlL1dlYkNvcmUvcGFn ZS9GcmFtZVZpZXcuaDo5OTA6NTA6IHJ1bnRpbWUgZXJyb3I6IHNpZ25lZCBpbnRlZ2VyIG92ZXJm bG93OiA2NTUzNyAqIDY1NTM3IGNhbm5vdCBiZSByZXByZXNlbnRlZCBpbiB0eXBlICdpbnQnCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMjM2OTcKKwor ICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBNYWtlIHN1cmUg RnJhbWVWaWV3OjppbmNyZW1lbnRWaXN1YWxseU5vbkVtcHR5UGl4ZWxDb3VudCgpIGRlYWxzIHdp dGggb3ZlcmZsb3dzIGluIGEgd2VsbC1kZWZpbmVkCisgICAgICAgIG1hbm5lci4gVGhpcyBmaXhl cyB0aGUgZm9sbG93aW5nIHJlcG9ydHMgZnJvbSBVQlNhbjoKKyAgICAgICAgLSBTb3VyY2UvV2Vi Q29yZS9wYWdlL0ZyYW1lVmlldy5oOjk5MDo1MDogcnVudGltZSBlcnJvcjogc2lnbmVkIGludGVn ZXIgb3ZlcmZsb3c6IDY1NTM3ICogNjU1MzcgY2Fubm90IGJlIHJlcHJlc2VudGVkIGluIHR5cGUg J2ludCcKKyAgICAgICAgLSBTb3VyY2UvV2ViQ29yZS9wYWdlL0ZyYW1lVmlldy5oOjk5MDo1MDog cnVudGltZSBlcnJvcjogc2lnbmVkIGludGVnZXIgb3ZlcmZsb3c6IDY1NTM2ICogNjU1MzYgY2Fu bm90IGJlIHJlcHJlc2VudGVkIGluIHR5cGUgJ2ludCcKKyAgICAgICAgLSBTb3VyY2UvV2ViQ29y ZS9wYWdlL0ZyYW1lVmlldy5oOjk5MDo1MDogcnVudGltZSBlcnJvcjogc2lnbmVkIGludGVnZXIg b3ZlcmZsb3c6IDExMTYzMDAgKiA1NTgxNTAgY2Fubm90IGJlIHJlcHJlc2VudGVkIGluIHR5cGUg J2ludCcKKyAgICAgICAgLSBTb3VyY2UvV2ViQ29yZS9wYWdlL0ZyYW1lVmlldy5oOjk5MDo1MDog cnVudGltZSBlcnJvcjogc2lnbmVkIGludGVnZXIgb3ZlcmZsb3c6IC0zMzU1NDQzMiAqIC0zMzU1 NDQzMiBjYW5ub3QgYmUgcmVwcmVzZW50ZWQgaW4gdHlwZSAnaW50JworCisgICAgICAgICogcGFn ZS9GcmFtZVZpZXcuaDoKKyAgICAgICAgKFdlYkNvcmU6OkZyYW1lVmlldzo6aW5jcmVtZW50Vmlz dWFsbHlOb25FbXB0eVBpeGVsQ291bnQpOgorCiAyMDIxLTAzLTI0ICBBbnRvaW5lIFF1aW50ICA8 Z3Jhb3V0c0B3ZWJraXQub3JnPgogCiAgICAgICAgIFN1cHBvcnQgYW5pbWF0aW9uIG9mIHRoZSB0 YWItc2l6ZSBDU1MgcHJvcGVydHkKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRnJh bWVWaWV3LmggYi9Tb3VyY2UvV2ViQ29yZS9wYWdlL0ZyYW1lVmlldy5oCmluZGV4IGVkOWIzNzk1 ODJjOTgyNTViNmExM2RjMDY3ZDM3NGUwYjg5NmQxZWQuLjA2YWUzYTQ3MTEwYzU3NDcwMzMwZmY5 NTljZTNjOGZiM2YzZjY1Y2IgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRnJhbWVW aWV3LmgKKysrIGIvU291cmNlL1dlYkNvcmUvcGFnZS9GcmFtZVZpZXcuaApAQCAtOTg5LDcgKzk4 OSwxMiBAQCBpbmxpbmUgdm9pZCBGcmFtZVZpZXc6OmluY3JlbWVudFZpc3VhbGx5Tm9uRW1wdHlQ aXhlbENvdW50KGNvbnN0IEludFNpemUmIHNpemUpCiB7CiAgICAgaWYgKG1fdmlzdWFsbHlOb25F bXB0eVBpeGVsQ291bnQgPiB2aXN1YWxQaXhlbFRocmVzaG9sZCkKICAgICAgICAgcmV0dXJuOwot ICAgIG1fdmlzdWFsbHlOb25FbXB0eVBpeGVsQ291bnQgKz0gc2l6ZS53aWR0aCgpICogc2l6ZS5o ZWlnaHQoKTsKKworICAgIGF1dG8gYXJlYSA9IHNpemUuYXJlYTxSZWNvcmRPdmVyZmxvdz4oKSAr IG1fdmlzdWFsbHlOb25FbXB0eVBpeGVsQ291bnQ7CisgICAgaWYgKFVOTElLRUxZKGFyZWEuaGFz T3ZlcmZsb3dlZCgpKSkKKyAgICAgICAgbV92aXN1YWxseU5vbkVtcHR5UGl4ZWxDb3VudCA9IHN0 ZDo6bnVtZXJpY19saW1pdHM8ZGVjbHR5cGUobV92aXN1YWxseU5vbkVtcHR5UGl4ZWxDb3VudCk+ OjptYXgoKTsKKyAgICBlbHNlCisgICAgICAgIG1fdmlzdWFsbHlOb25FbXB0eVBpeGVsQ291bnQg PSBhcmVhLnVuc2FmZUdldCgpOwogfQogCiBXVEY6OlRleHRTdHJlYW0mIG9wZXJhdG9yPDwoV1RG OjpUZXh0U3RyZWFtJiwgY29uc3QgRnJhbWVWaWV3Jik7Cg==