WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
223697
Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65537 * 65537 cannot be represented in type 'int'
https://bugs.webkit.org/show_bug.cgi?id=223697
Summary
Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflo...
Chris Dumez
Reported
2021-03-24 10:05:10 PDT
Fix bug found by UBSan: - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65537 * 65537 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 65536 * 65536 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: 1116300 * 558150 cannot be represented in type 'int' - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int'
Attachments
Patch
(2.32 KB, patch)
2021-03-24 10:13 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Chris Dumez
Comment 1
2021-03-24 10:13:40 PDT
Created
attachment 424150
[details]
Patch
Darin Adler
Comment 2
2021-03-24 10:20:50 PDT
Comment on
attachment 424150
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=424150&action=review
> Source/WebCore/ChangeLog:13 > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int'
Surprised that we are computing area of sizes that have negative width or height.
> Source/WebCore/page/FrameView.h:994 > + if (UNLIKELY(area.hasOverflowed()))
Makes me wish Checked had a "saturation" mode so we didn’t have to write such extensive code.
Chris Dumez
Comment 3
2021-03-24 10:21:55 PDT
(In reply to Darin Adler from
comment #2
)
> Comment on
attachment 424150
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=424150&action=review
> > > Source/WebCore/ChangeLog:13 > > + - Source/WebCore/page/FrameView.h:990:50: runtime error: signed integer overflow: -33554432 * -33554432 cannot be represented in type 'int' > > Surprised that we are computing area of sizes that have negative width or > height.
I suspect the values may already overflowed before this function call.
> > > Source/WebCore/page/FrameView.h:994 > > + if (UNLIKELY(area.hasOverflowed())) > > Makes me wish Checked had a "saturation" mode so we didn’t have to write > such extensive code.
zalan
Comment 4
2021-03-24 10:36:21 PDT
no test case? I am curios how we end up with negative size here.
Darin Adler
Comment 5
2021-03-24 10:37:49 PDT
I believe the test case is "our entire regression test suite run when WebKit is compiled with UBSan".
Chris Dumez
Comment 6
2021-03-24 10:38:07 PDT
(In reply to zalan from
comment #4
)
> no test case? I am curios how we end up with negative size here.
The UBSan warnings are triggered by our test suite so the values showed in the errors should already be covered by our test suite.
Chris Dumez
Comment 7
2021-03-24 10:38:53 PDT
(In reply to zalan from
comment #4
)
> no test case? I am curios how we end up with negative size here.
I believe you should be able to add assertions then run the test suite and hopefully find out :)
zalan
Comment 8
2021-03-24 10:39:31 PDT
(In reply to Chris Dumez from
comment #6
)
> (In reply to zalan from
comment #4
) > > no test case? I am curios how we end up with negative size here. > > The UBSan warnings are triggered by our test suite so the values showed in > the errors should already be covered by our test suite.
Can we figure out what test triggered this? This may have correctness implications as well.
zalan
Comment 9
2021-03-24 10:39:41 PDT
(In reply to Chris Dumez from
comment #7
)
> (In reply to zalan from
comment #4
) > > no test case? I am curios how we end up with negative size here. > > I believe you should be able to add assertions then run the test suite and > hopefully find out :)
ok
EWS
Comment 10
2021-03-24 12:30:17 PDT
Committed
r274958
: <
https://commits.webkit.org/r274958
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 424150
[details]
.
Radar WebKit Bug Importer
Comment 11
2021-03-24 12:31:15 PDT
<
rdar://problem/75799187
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug