Closed Bug 1353246 Opened 8 years ago Closed 8 years ago

Undefined behavior in TruncateFloatToInt()

Categories

(Core :: Web Audio, enhancement, P3)

Product:
Core
Component:
Web Audio
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: karlt, Assigned: karlt)

References

Details

Attachments

(1 file)

bug 1353246 adjust int/float comparison to treat floats just outside the range of int as outside
59 bytes, text/x-review-board-request
padenot
: review+
Details
float(numeric_limits<int>::max()) is rounding up and so this inequality is false even when f is (float)0x80000000 (without rounding) and cannot be represented by an int: http://searchfox.org/mozilla-central/source/dom/media/webaudio/WebAudioUtils.h#193 "A prvalue of a floating point type can be converted to a prvalue of an integer type. The conversion truncates; that is, the fractional part is discarded. The behavior is undefined if the truncated value cannot be represented in the destination type." (gdb) p (int)(float)2147483647 $2 = -2147483648 (gdb) p /x (int)(float)0x7fffffff $3 = 0x80000000 Although the -0x80000000 that is returned in this situation on this platform is negative, the implementation-defined behavior of converting to unsigned for speex_resampler_init() is to keep the 2s complement representation to give an unsigned value of 0x80000000, and so no harm follows. A compiler is permitted by the specification to establish a new world government instead of returning -0x80000000 from TruncateFloatToInt().
I'm not planning to write a Web Audio test for this because other details of the implementation and compiler behaviours mean that I can't make such a test fail.
Flags: in-testsuite-
Priority: -- → P3
The crashtest in https://bugzilla.mozilla.org/attachment.cgi?id=8854332 will exercise this code path.
Comment on attachment 8854341 [details] bug 1353246 adjust int/float comparison to treat floats just outside the range of int as outside https://reviewboard.mozilla.org/r/126290/#review129018
Attachment #8854341 - Flags: review?(padenot) → review+
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/97001563a3b5 adjust int/float comparison to treat floats just outside the range of int as outside r=padenot
https://hg.mozilla.org/mozilla-central/rev/97001563a3b5
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: