[webkit-changes] [WebKit/WebKit] 715c31: UBSAN: runtime error: negation of -2147483648 cann...

Fri, 12 Apr 2024 09:07:01 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 715c3124843bb2b5ba39d245b9a8dcc52df00e81
      
https://github.com/WebKit/WebKit/commit/715c3124843bb2b5ba39d245b9a8dcc52df00e81
  Author: David Kilzer <[email protected]>
  Date:   2024-04-12 (Fri, 12 Apr 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/JSBigInt.cpp
    M Source/WTF/wtf/MathExtras.h
    M Source/WTF/wtf/text/IntegerToStringConversion.h
    M Source/WebCore/css/typedom/CSSNumericValue.cpp
    M Source/WebCore/platform/LayoutUnit.h
    M Tools/TestWebKitAPI/Tests/WTF/MathExtras.cpp

  Log Message:
  -----------
  UBSAN: runtime error: negation of -2147483648 cannot be represented in type 
'int'; cast to an unsigned type to negate this value to itself
https://bugs.webkit.org/show_bug.cgi?id=272533
<rdar://126277702>

Reviewed by Justin Michaud.

Change WTF::negate() to require a signed type as input, and to always
return an unsigned value since that's how it's used. Also add a Debug
assert that the value being negated is negative since this function was
never designed to negate positive, signed integers.

Tests for WTF::negate():  TestWTF.WTF.negate

Layout tests covering WebCore changes:
    fast/css/border-image-scale-crash.html
    fast/forms/datalist/datalist-dropdown-transformed-element-crash.html
    fast/selectors/nth-child-bounds.html

* Source/JavaScriptCore/runtime/JSBigInt.cpp:
(JSC::Int64BigIntImpl::digit):
- Cast back to signed type before calling WTF::negate().

* Source/WTF/wtf/MathExtras.h:
(WTF::negate):
- Tighten up function to always return an unsigned integer type and to
  require `T` to be a signed integer type.
- Add Debug assert that `v` is negative as this function is not intended
  for use with positive integer values.
* Source/WTF/wtf/text/IntegerToStringConversion.h:
(WTF::writeIntegerToBuffer):
(WTF::lengthOfIntegerAsString):
- Make use of WTF::negate() to avoid undefined behavior.
- Remove use of std::make_unsigned_t<>() since WTF::negate() does this
  for us.

* Source/WebCore/css/typedom/CSSNumericValue.cpp:
(WebCore::CSSNumericValue::sub):
- Specify WebCore::negate() as workaround for MSVC++ and older clang.
* Source/WebCore/platform/LayoutUnit.h:
(WebCore::roundToDevicePixel):
- Make use of WTF::negate() to avoid undefined behavior.

* Tools/TestWebKitAPI/Tests/WTF/MathExtras.cpp:
(TestWebKitAPI::TEST(WTF, negate)):
- Add tests for WTF::negate().  Verify the return type of the template
  function as well as interesting values.

Canonical link: https://commits.webkit.org/277431@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to