Summary: | Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65537 * 65537 cannot be represented in type 'int' | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Chris Dumez <cdumez> | ||||
Component: | Layout and Rendering | Assignee: | Chris Dumez <cdumez> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | bfulgham, darin, ggaren, sam, simon.fraser, webkit-bug-importer, zalan | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=176131 | ||||||
Attachments: |
|
Description
Chris Dumez
2021-03-24 10:05:10 PDT
Created attachment 424150 [details]
Patch
Comment on attachment 424150 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424150&action=review > Source/WebCore/ChangeLog:13 > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' Surprised that we are computing area of sizes that have negative width or height. > Source/WebCore/page/FrameView.h:994 > + if (UNLIKELY(area.hasOverflowed())) Makes me wish Checked had a "saturation" mode so we didn’t have to write such extensive code. (In reply to Darin Adler from comment #2) > Comment on attachment 424150 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=424150&action=review > > > Source/WebCore/ChangeLog:13 > > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' > > Surprised that we are computing area of sizes that have negative width or > height. I suspect the values may already overflowed before this function call. > > > Source/WebCore/page/FrameView.h:994 > > + if (UNLIKELY(area.hasOverflowed())) > > Makes me wish Checked had a "saturation" mode so we didn’t have to write > such extensive code. no test case? I am curios how we end up with negative size here. I believe the test case is "our entire regression test suite run when WebKit is compiled with UBSan". (In reply to zalan from comment #4) > no test case? I am curios how we end up with negative size here. The UBSan warnings are triggered by our test suite so the values showed in the errors should already be covered by our test suite. (In reply to zalan from comment #4) > no test case? I am curios how we end up with negative size here. I believe you should be able to add assertions then run the test suite and hopefully find out :) (In reply to Chris Dumez from comment #6) > (In reply to zalan from comment #4) > > no test case? I am curios how we end up with negative size here. > > The UBSan warnings are triggered by our test suite so the values showed in > the errors should already be covered by our test suite. Can we figure out what test triggered this? This may have correctness implications as well. (In reply to Chris Dumez from comment #7) > (In reply to zalan from comment #4) > > no test case? I am curios how we end up with negative size here. > > I believe you should be able to add assertions then run the test suite and > hopefully find out :) ok Committed r274958: <https://commits.webkit.org/r274958> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424150 [details]. |