Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2010843002:
Fix int32 overflow in LinearGradientContext::shade4_dx_clamp (Closed)
DescriptionFix int32 overflow in LinearGradientContext::shade4_dx_clamp
The unconditional increment in shade4_dx_clamp can overflow int32
=> n == SK_MinS32
=> count ~= SK_MinS32
=> we skip the main shader loop 'cause count < 0
R=reed@google.com,mtklein@google.com
BUG=chromium:599458
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002
Committed: https://skia.googlesource.com/skia/+/7b38e3cf75296c749c843fa89af14f70f4e4b2db
Patch Set 1 #
Messages
Total messages: 19 (7 generated)
Description was changed from ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32. R=reed@google.com,mtklein@google.com BUG=chromium:599458 ========== to ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32. R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 ==========
Description was changed from ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32. R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 ========== to ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32 => n == SK_MinS32 => count ~= SK_MinS32 => we skip the main shader loop 'cause count < 0 R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 ==========
The CQ bit was checked by fmalita@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2010843002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2010843002/1
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Dry run: None
The CQ bit was checked by fmalita@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2010843002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2010843002/1
Note for Reviewers: The CQ is waiting for an approval. If you believe that the CL is not ready yet, or if you would like to L-G-T-M with comments then please uncheck the CQ checkbox. Waiting for LGTM from valid reviewer(s) till 2016-05-26 20:02 UTC
fmalita@chromium.org changed reviewers: + caryclark@google.com
Is the overflow possibility just from the + 1, or can the float->int conversion also overflow int32?
On 2016/05/26 17:38:30, reed1 wrote: > Is the overflow possibility just from the + 1, or can the float->int conversion > also overflow int32? Just from +1 (SkFloatToIntFloor clamps to SK_MaxS32).
wow, I had no idea we were still using the hacky floatbits code for that. lgtm
Message was sent while issue was closed.
Description was changed from ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32 => n == SK_MinS32 => count ~= SK_MinS32 => we skip the main shader loop 'cause count < 0 R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 ========== to ========== Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32 => n == SK_MinS32 => count ~= SK_MinS32 => we skip the main shader loop 'cause count < 0 R=reed@google.com,mtklein@google.com BUG=chromium:599458 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2010843002 Committed: https://skia.googlesource.com/skia/+/7b38e3cf75296c749c843fa89af14f70f4e4b2db ==========
Message was sent while issue was closed.
Committed patchset #1 (id:1) as https://skia.googlesource.com/skia/+/7b38e3cf75296c749c843fa89af14f70f4e4b2db
Message was sent while issue was closed.
Hmmm... that's weird: https://build.chromium.org/p/client.skia/builders/Test-Ubuntu-GCC-GCE-CPU-AVX... ../../../src/effects/gradients/SkLinearGradient.cpp:630:74: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior ../../../src/effects/gradients/SkLinearGradient.cpp:630:74 in step returned non-zero exit code: 1
Message was sent while issue was closed.
On 2016/05/26 23:26:13, mtklein wrote: > Hmmm... that's weird: > > https://build.chromium.org/p/client.skia/builders/Test-Ubuntu-GCC-GCE-CPU-AVX... > > ../../../src/effects/gradients/SkLinearGradient.cpp:630:74: runtime error: > signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > SUMMARY: AddressSanitizer: undefined-behavior > ../../../src/effects/gradients/SkLinearGradient.cpp:630:74 in > step returned non-zero exit code: 1 Heh, I guess the unit test is now triggering it. This is WAI, but will have to silence it somehow... |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
