223614 – wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

RESOLVED FIXED 223614

wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

https://bugs.webkit.org/show_bug.cgi?id=223614

Summary wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147...

Chris Dumez

Reported 2021-03-22 17:16:10 PDT

numberToStringSigned() relies on undefined behavior and may return inaccurate results with inputs such as INT_MIN.

Attachments
Patch (3.99 KB, patch) 2021-03-22 17:21 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (4.99 KB, patch) 2021-03-22 17:39 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (4.95 KB, patch) 2021-03-23 08:32 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-03-22 17:21:06 PDT

Created attachment 423967 [details] Patch

Chris Dumez

Comment 2 2021-03-22 17:39:38 PDT

Created attachment 423972 [details] Patch

Chris Dumez

Comment 3 2021-03-23 08:32:06 PDT

Created attachment 424020 [details] Patch

Darin Adler

Comment 4 2021-03-23 09:01:34 PDT

Comment on attachment 424020 [details] Patch I understand how this quiets the undefined behavior sanitizer, but I am sort of surprised that this actually avoids undefined behavior. I am surprised that the unary minus operation is defined so usefully on unsigned types.

Chris Dumez

Comment 5 2021-03-23 09:04:53 PDT

(In reply to Darin Adler from comment #4) > Comment on attachment 424020 [details] > Patch > > I understand how this quiets the undefined behavior sanitizer, but I am sort > of surprised that this actually avoids undefined behavior. I am surprised > that the unary minus operation is defined so usefully on unsigned types. I followed the advice from UBSan: "cast to an unsigned type to negate this value to itself".

EWS

Comment 6 2021-03-23 09:54:11 PDT

Committed r274878: <https://commits.webkit.org/r274878> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424020 [details].

Radar WebKit Bug Importer

Comment 7 2021-03-23 09:55:20 PDT

<rdar://problem/75742118>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Web Template Framework

Assignee

Chris Dumez

Reported

2021-03-22 17:16 PDT

Modified

2021-03-23 09:55 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks