Bug 223650

Summary:

DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:802:72: runtime error: -1 is outside the range of representable values of type 'unsigned int'

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

Bindings

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, cdumez, cmarcelo, darin, ews-watchlist, ggaren, sam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=176131
https://bugs.webkit.org/show_bug.cgi?id=223710

Attachments:

Description	Flags
Patch	none
Patch	ews-feeder: commit-queue-
Patch	none

Chris Dumez

Reported 2021-03-23 12:12:40 PDT

DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:802:72: runtime error: -1 is outside the range of representable values of type 'unsigned int'.

Attachments
Patch (4.79 KB, patch) 2021-03-23 12:25 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (6.47 KB, patch) 2021-03-23 14:45 PDT, Chris Dumez	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (9.42 KB, patch) 2021-03-23 15:31 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-03-23 12:25:36 PDT

Created attachment 424049 [details] Patch

Chris Dumez

Comment 2 2021-03-23 12:36:33 PDT

1 Release/DerivedSources/WebKitTestRunner/JSEventSendingController.cpp:274:45: runtime error: nan is outside the range of representable values of type 'int' 1 Release/DerivedSources/WebKitTestRunner/JSEventSendingController.cpp:130:23: runtime error: nan is outside the range of representable values of type 'int' 1 Release/DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:802:72: runtime error: -1 is outside the range of representable values of type 'unsigned int' 1 Release/DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:802:64: runtime error: -1 is outside the range of representable values of type 'unsigned int' 1 Release/DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:1571:63: runtime error: 1e+11 is outside the range of representable values of type 'int' 1 Release/DerivedSources/WebKitTestRunner/JSAccessibilityUIElement.cpp:1221:67: runtime error: -1 is outside the range of representable values of type 'unsigned int'

Darin Adler

Comment 3 2021-03-23 13:37:42 PDT

What does clampTo do for NaN? Is there any downside to silently clamping instead of doing something like raising an exception?

Chris Dumez

Comment 4 2021-03-23 13:49:48 PDT

(In reply to Darin Adler from comment #3) > What does clampTo do for NaN? Is there any downside to silently clamping > instead of doing something like raising an exception? I will check what it does for NaN, I am not sure. Previously, I believe it was undefined behavior to cast NaN to an integer type. About clamping vs throwing an exception, I guess we can do whatever we decide to, since this is used only by layout tests. I went this way because it was a bit less work and basically as permissive as it used to be.

Chris Dumez

Comment 5 2021-03-23 14:26:49 PDT

(In reply to Chris Dumez from comment #4) > (In reply to Darin Adler from comment #3) > > What does clampTo do for NaN? Is there any downside to silently clamping > > instead of doing something like raising an exception? > > I will check what it does for NaN, I am not sure. Previously, I believe it > was undefined behavior to cast NaN to an integer type. We seem to be calling: // Floating point source. template<typename TargetType, typename SourceType> typename std::enable_if<!std::is_same<TargetType, SourceType>::value && std::is_floating_point<SourceType>::value && !(std::is_floating_point<TargetType>::value && sizeof(TargetType) > sizeof(SourceType)), TargetType>::type clampTo(SourceType value, TargetType min = defaultMinimumForClamp<TargetType>(), TargetType max = defaultMaximumForClamp<TargetType>()) { if (value >= static_cast<SourceType>(max)) return max; if (value <= static_cast<SourceType>(min)) return min; return static_cast<TargetType>(value); } If value is NaN, then I'd expect both if checks to fail and we'd static_cast<> to the destination type, which I believe would still be undefined behavior for integer destination types. We may need to update std::clampTo() to handle NaN. Looks like the default behavior for WebIDL is: "If x is NaN, +0, +∞, or −∞, then return +0."

Chris Dumez

Comment 6 2021-03-23 14:45:40 PDT

Created attachment 424067 [details] Patch

Darin Adler

Comment 7 2021-03-23 15:03:12 PDT

We should consider fixing clampTo so that it returns "min" when NaN is passed instead of returning "value". I think we can do that efficiently. Could be as simple as: if (!(value > static_cast<SourceType>(min))) return min; Instead of the "<=" version. That might fix it.

Chris Dumez

Comment 8 2021-03-23 15:23:37 PDT

(In reply to Darin Adler from comment #7) > We should consider fixing clampTo so that it returns "min" when NaN is > passed instead of returning "value". I think we can do that efficiently. > Could be as simple as: > > if (!(value > static_cast<SourceType>(min))) > return min; > > Instead of the "<=" version. That might fix it. I had a slight preference for 0 but I guess it doesn't really matter. At least your way avoids an extra branch. I'll update the patch accordingly and add API tests.

Darin Adler

Comment 9 2021-03-23 15:25:39 PDT

Yes, I see your point. 0 would be nicer.

Darin Adler

Comment 10 2021-03-23 15:26:42 PDT

But maybe 0 isn’t even between min and max, so we’d want to convert to 0 before doing the min/max checks.

Chris Dumez

Comment 11 2021-03-23 15:29:36 PDT

(In reply to Darin Adler from comment #10) > But maybe 0 isn’t even between min and max, so we’d want to convert to 0 > before doing the min/max checks. Yes, that is what my patch was doing: ``` if (std::isnan(value)) value = 0; if (value >= max) return max; [...] ```

Chris Dumez

Comment 12 2021-03-23 15:31:47 PDT

Created attachment 424074 [details] Patch

Chris Dumez

Comment 13 2021-03-23 15:32:33 PDT

(In reply to Chris Dumez from comment #12) > Created attachment 424074 [details] > Patch This version returns min as you initially suggested and adds API test coverage. I can easily switch to 0 (then clamped to range) if you'd prefer.

EWS

Comment 14 2021-03-23 17:30:18 PDT

Committed r274919: <https://commits.webkit.org/r274919> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424074 [details].

Radar WebKit Bug Importer

Comment 15 2021-03-23 17:31:15 PDT

<rdar://problem/75763224>

Note You need to log in before you can comment on or make changes to this bug.