RESOLVED FIXED 104955
Clamp values in LayoutUnit::operator/ when SATURATED_LAYOUT_ARITHMETIC is enabled 
https://bugs.webkit.org/show_bug.cgi?id=104955
Summary Clamp values in LayoutUnit::operator/ when SATURATED_LAYOUT_ARITHMETIC is ena...
Emil A Eklund
Reported 2012-12-13 14:38:46 PST
LayoutUnit::setRawValue(long long) currently does not clamp values and instead overflows when given a value greater than INT_MAX or less than INT_MIN. As the division operator uses the setRawValue(long long) method it can the value to overflow, even if SATURATED_LAYOUT_ARITHMETIC is enabled.
Attachments
Patch (19.17 KB, patch)
2012-12-13 14:40 PST, Emil A Eklund 		no flags
DetailsFormatted DiffDiff
Patch (18.80 KB, patch)
2012-12-13 16:02 PST, Emil A Eklund 		no flags
DetailsFormatted DiffDiff
Patch (19.31 KB, patch)
2012-12-14 11:57 PST, Emil A Eklund 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Emil A Eklund
Comment 1 2012-12-13 14:40:26 PST
Created attachment 179341 [details] Patch
WebKit Review Bot
Comment 2 2012-12-13 14:44:19 PST
Attachment 179341 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCor..." exit_code: 1 Tools/TestWebKitAPI/ForwardingHeaders/WebCore/LayoutUnit.h:1: #ifndef header guard has wrong style, please use: LayoutUnit_h [build/header_guard] [5] Total errors found: 1 in 10 files If any of these errors are false positives, please file a bug against check-webkit-style.
Emil A Eklund
Comment 3 2012-12-13 14:46:46 PST
The style bot failure looks like a false positive in that it doesn't recognize FWD headers.
Julien Chaffraix
Comment 4 2012-12-13 15:53:59 PST
Comment on attachment 179341 [details] Patch I like the change, especially since it catches an issue. Some comments on it, the ForwardingHeaders part looks fine to me but someone more knowledgeable with the Apple build system should probably comment.
Emil A Eklund
Comment 5 2012-12-13 15:56:51 PST
(In reply to comment #4) > (From update of attachment 179341 [details]) > I like the change, especially since it catches an issue. Some comments on it, the ForwardingHeaders part looks fine to me but someone more knowledgeable with the Apple build system should probably comment. The ForwardingHeaders setup is for the linux windows/ninja build, mac does fine without it.
Emil A Eklund
Comment 6 2012-12-13 16:02:09 PST
Created attachment 179362 [details] Patch
WebKit Review Bot
Comment 7 2012-12-13 16:08:01 PST
Attachment 179362 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCor..." exit_code: 1 Tools/TestWebKitAPI/ForwardingHeaders/WebCore/LayoutUnit.h:1: #ifndef header guard has wrong style, please use: LayoutUnit_h [build/header_guard] [5] Total errors found: 1 in 10 files If any of these errors are false positives, please file a bug against check-webkit-style.
Emil A Eklund
Comment 8 2012-12-14 11:57:26 PST
Created attachment 179509 [details] Patch
WebKit Review Bot
Comment 9 2012-12-14 11:59:22 PST
Attachment 179509 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCor..." exit_code: 1 Tools/TestWebKitAPI/ForwardingHeaders/WebCore/LayoutUnit.h:1: #ifndef header guard has wrong style, please use: LayoutUnit_h [build/header_guard] [5] Tools/TestWebKitAPI/ForwardingHeaders/WebCore/KURL.h:1: #ifndef header guard has wrong style, please use: KURL_h [build/header_guard] [5] Total errors found: 2 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Julien Chaffraix
Comment 10 2012-12-14 14:00:58 PST
Comment on attachment 179509 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=179509&action=review Looks fine, some comment. Please, leave some time before landing to get a green EWS and in case some of people more knowledgeable in the different hardware we support can double check. > Source/WebCore/platform/LayoutUnit.h:182 > + m_value = clampTo(value, std::numeric_limits<int>::min(), std::numeric_limits<int>::max()); We should probably mention that this may lead to a loss of precision if long long is 64 bits but as we are casting the information to an int (32 bits on all 64 bits architecture that we know about), it shouldn't matter. Also, unless I am mistaking, this looks like it could be written: m_value = clampTo<int>(value); (clampToInteger would be ambiguous AFAICT so it would require an unfortunate cast) > Tools/TestWebKitAPI/ForwardingHeaders/WebCore/KURL.h:4 > +#endif Nit: We should probably wait until we enable the test to land that > Tools/TestWebKitAPI/TestWebKitAPI.gyp/TestWebKitAPI.gyp:57 > + '<(source_dir)/WebCore/WebCore.gyp/WebCore.gyp:webcore', For archive's sake, we discussed that over IM and it makes more sense to link against WebCore if we are to enable the test for KURL but also to test any class that isn't fully implemented in its header file. > Tools/TestWebKitAPI/Tests/WebCore/LayoutUnit.cpp:79 > + ASSERT_NEAR(LayoutUnit(1.0f).toFloat(), 1.0f, tolerance); > + ASSERT_NEAR(LayoutUnit(1.1f).toFloat(), 1.1f, tolerance); > + ASSERT_NEAR(LayoutUnit(1.25f).toFloat(), 1.25f, tolerance); > + ASSERT_NEAR(LayoutUnit(1.33f).toFloat(), 1.33f, tolerance); > + ASSERT_NEAR(LayoutUnit(1.3333f).toFloat(), 1.3333f, tolerance); > + ASSERT_NEAR(LayoutUnit(1.53434f).toFloat(), 1.53434f, tolerance); > + ASSERT_NEAR(LayoutUnit(345634).toFloat(), 345634.0f, tolerance); > + ASSERT_NEAR(LayoutUnit(345634.12335f).toFloat(), 345634.12335f, tolerance); > + ASSERT_NEAR(LayoutUnit(-345634.12335f).toFloat(), -345634.12335f, tolerance); > + ASSERT_NEAR(LayoutUnit(-345634).toFloat(), -345634.0f, tolerance); Are these ASSERT_NEAR really needed? Below you use ASSERT_FLOAT_EQ for the division and I wouldn't expect much loss in precisions for most of numbers here as they don't require much mantissa bits to represent.
Benjamin Poulain
Comment 11 2012-12-14 20:48:50 PST
Nice catch. (and nice of you to add test support for LayoutUnit). I agree with Julien, I would much prefer this with clampTo<int>(value);. I'd argue (as usual? :)) that this not the best place to fix this. Most code calling setRawValue() already ensure the value is bounded. By adding this addition clamp in setRawValue(), people might misunderstand how to use that API. The perf guy in me also cry because we branch twice as much when the call site do a proper job with saturated arithmetic. What do you think about this?: -make setRawValue a template -make it so that it fails to compile for long with a explanatory error message. -fix the 1 (?) faulty call site. -.... -profit
Emil A Eklund
Comment 12 2012-12-17 10:35:01 PST
(In reply to comment #11) > Nice catch. (and nice of you to add test support for LayoutUnit). > > I agree with Julien, I would much prefer this with clampTo<int>(value);. > > I'd argue (as usual? :)) that this not the best place to fix this. Most code calling setRawValue() already ensure the value is bounded. By adding this addition clamp in setRawValue(), people might misunderstand how to use that API. > > The perf guy in me also cry because we branch twice as much when the call site do a proper job with saturated arithmetic. You are right, I'll move it to the call site to minimize the perf impact. That'll also make it more consistent with the existing checks. Thanks for your input, always appreciated!
Emil A Eklund
Comment 13 2012-12-17 11:13:43 PST
Committed r137924: <http://trac.webkit.org/changeset/137924>
Simon Fraser (smfr)
Comment 14 2012-12-18 13:36:55 PST
This broke some WebKit API tests. Please fix: http://build.webkit.org/builders/Apple%20Lion%20Debug%20WK1%20%28Tests%29/builds/5417/steps/run-api-tests/logs/stdio
Note You need to log in before you can comment on or make changes to this bug.