Fix fuzzer-discovered error with range checks.

The fuzzer managed to create a NaN using a carefully-crafted mix of intrinsics and constant folding. (`cosh(421)` is a very large double, which becomes +Inf when cast to float, which is then multiplied by 0; zero times infinity is NaN.) Our code which checked to see if a value is in range of an int did not consider NaNs and their always-false behavior, so it incorrectly decided that NaN was in range. This CL reverses the check so that a NaN will not pass, but all other values will behave the same. Followup CLs should probably also tighten up the folding/optimizer behavior so that NaNs/Infs are not created at all. Change-Id: Idd2b0447ebe115e00bdba63ca7ff655f6c902fc6 Bug: oss-fuzz:48592 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/555009 Commit-Queue: John Stiles <johnstiles@google.com> Auto-Submit: John Stiles <johnstiles@google.com> Reviewed-by: Brian Osman <brianosman@google.com> Commit-Queue: Brian Osman <brianosman@google.com>
2022-07-06 09:38:41 -04:00 · 2022-07-06 09:38:41 -04:00 · 48b27317b4
commit 48b27317b4
parent bc15c6a548
4 changed files with 26 additions and 11 deletions
--- a/gn/sksl_tests.gni
+++ b/gn/sksl_tests.gni
@ -159,6 +159,7 @@ sksl_error_tests = [
  "/sksl/errors/Ossfuzz44561.sksl",
  "/sksl/errors/Ossfuzz44565.sksl",
  "/sksl/errors/Ossfuzz47935.sksl",
+  "/sksl/errors/Ossfuzz48592.sksl",
  "/sksl/errors/OverflowFloatLiteral.rts",
  "/sksl/errors/OverflowInlinedLiteral.sksl",
  "/sksl/errors/OverflowInt64Literal.rts",
--- a/resources/sksl/errors/Ossfuzz48592.sksl
+++ b/resources/sksl/errors/Ossfuzz48592.sksl
@ -0,0 +1 @@
+half x[int2((3-3`*cosh(421`.L1
--- a/src/sksl/ir/SkSLType.cpp
+++ b/src/sksl/ir/SkSLType.cpp
@ -968,18 +968,17 @@ bool Type::checkForOutOfRangeLiteral(const Context& context, const Expression& e

 bool Type::checkForOutOfRangeLiteral(const Context& context, double value, Position pos) const {
    SkASSERT(this->isScalar());
-    if (this->isInteger()) {
-        if (value < this->minimumValue() || value > this->maximumValue()) {
-            // We found a value that can't fit in the type. Flag it as an error.
-            context.fErrors->error(
-                    pos,
-                    SkSL::String::printf("integer is out of range for type '%s': %.0f",
-                                         this->displayName().c_str(),
-                                         std::floor(value)));
-            return true;
-        }
+    if (!this->isInteger()) {
+        return false;
    }
-    return false;
+    if (value >= this->minimumValue() && value <= this->maximumValue()) {
+        return false;
+    }
+    // We found a value that can't fit in our integral type. Flag it as an error.
+    context.fErrors->error(pos, SkSL::String::printf("integer is out of range for type '%s': %.0f",
+                                                     this->displayName().c_str(),
+                                                     std::floor(value)));
+    return true;
 }

 bool Type::checkIfUsableInArray(const Context& context, Position arrayPos) const {
--- a/tests/sksl/errors/Ossfuzz48592.glsl
+++ b/tests/sksl/errors/Ossfuzz48592.glsl
@ -0,0 +1,14 @@
+### Compilation failed:
+
+error: 1: expected ')' to complete expression, but found '`'
+half x[int2((3-3`*cosh(421`.L1
+                ^
+error: 1: expected ')' to complete function arguments, but found '`'
+half x[int2((3-3`*cosh(421`.L1
+                          ^
+error: 2: expected ')' to complete function arguments, but found ''
+error: 1: array size must be an integer
+half x[int2((3-3`*cosh(421`.L1
+       ^^^^^^^^^^^^^^^^^^^^^^^^
+error: 2: expected ']', but found ''
+5 errors