223614 – wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Bug 223614 - wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Summary: wtf/text/IntegerToStringConversion.h:54:104: runtime error: negation of -2147...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Template Framework (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-22 17:16 PDT by Chris Dumez
Modified:	2021-03-23 09:55 PDT (History)
CC List:	8 users (show)

See Also:	176131

Attachments
Patch (3.99 KB, patch) 2021-03-22 17:21 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (4.99 KB, patch) 2021-03-22 17:39 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (4.95 KB, patch) 2021-03-23 08:32 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-03-22 17:16:10 PDT

numberToStringSigned() relies on undefined behavior and may return inaccurate results with inputs such as INT_MIN.

Comment 1 Chris Dumez 2021-03-22 17:21:06 PDT

Created attachment 423967 [details]
Patch

Comment 2 Chris Dumez 2021-03-22 17:39:38 PDT

Created attachment 423972 [details]
Patch

Comment 3 Chris Dumez 2021-03-23 08:32:06 PDT

Created attachment 424020 [details]
Patch

Comment 4 Darin Adler 2021-03-23 09:01:34 PDT

Comment on attachment 424020 [details]
Patch

I understand how this quiets the undefined behavior sanitizer, but I am sort of surprised that this actually avoids undefined behavior. I am surprised that the unary minus operation is defined so usefully on unsigned types.

Comment 5 Chris Dumez 2021-03-23 09:04:53 PDT

(In reply to Darin Adler from comment #4)
> Comment on attachment 424020 [details]
> Patch
> 
> I understand how this quiets the undefined behavior sanitizer, but I am sort
> of surprised that this actually avoids undefined behavior. I am surprised
> that the unary minus operation is defined so usefully on unsigned types.

I followed the advice from UBSan: "cast to an unsigned type to negate this value to itself".

Comment 6 EWS 2021-03-23 09:54:11 PDT

Committed r274878: <https://commits.webkit.org/r274878>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424020 [details].

Comment 7 Radar WebKit Bug Importer 2021-03-23 09:55:20 PDT

<rdar://problem/75742118>