Bug 223614

Summary: wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Web Template FrameworkAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cmarcelo, darin, ddkilzer, ews-watchlist, ggaren, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=176131
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Chris Dumez
Reported 2021-03-22 17:16:10 PDT
numberToStringSigned() relies on undefined behavior and may return inaccurate results with inputs such as INT_MIN.
Attachments
Patch (3.99 KB, patch)
2021-03-22 17:21 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (4.99 KB, patch)
2021-03-22 17:39 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (4.95 KB, patch)
2021-03-23 08:32 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-03-22 17:21:06 PDT
Created attachment 423967 [details] Patch
Chris Dumez
Comment 2 2021-03-22 17:39:38 PDT
Created attachment 423972 [details] Patch
Chris Dumez
Comment 3 2021-03-23 08:32:06 PDT
Created attachment 424020 [details] Patch
Darin Adler
Comment 4 2021-03-23 09:01:34 PDT
Comment on attachment 424020 [details] Patch I understand how this quiets the undefined behavior sanitizer, but I am sort of surprised that this actually avoids undefined behavior. I am surprised that the unary minus operation is defined so usefully on unsigned types.
Chris Dumez
Comment 5 2021-03-23 09:04:53 PDT
(In reply to Darin Adler from comment #4) > Comment on attachment 424020 [details] > Patch > > I understand how this quiets the undefined behavior sanitizer, but I am sort > of surprised that this actually avoids undefined behavior. I am surprised > that the unary minus operation is defined so usefully on unsigned types. I followed the advice from UBSan: "cast to an unsigned type to negate this value to itself".
EWS
Comment 6 2021-03-23 09:54:11 PDT
Committed r274878: <https://commits.webkit.org/r274878> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424020 [details].
Radar WebKit Bug Importer
Comment 7 2021-03-23 09:55:20 PDT
<rdar://problem/75742118>
Note You need to log in before you can comment on or make changes to this bug.