Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[naga msl-out] Avoid undefined behaviour due to signed integer overflow #6959

Merged
merged 1 commit into from
Jan 20, 2025
Merged

[naga msl-out] Avoid undefined behaviour due to signed integer overflow #6959

merged 1 commit into from
Jan 20, 2025

Conversation

jamienicol
Copy link
Contributor

Connections
Fixes #6666

Description
Signed integer overflow is undefined behaviour in MSL. However, signed integers are defined to be two's complement. This allows us to cast signed values to their corresponding unsigned type, perform the arithmetic on these unsigned values (which has defined overflow behaviour) then cast the result back to signed.

Care must be taken when emitting the isign polyfill, which uses metal::select(). We must ensure the -1, 0, and 1 literals used as inputs to select() have the correct width, else bitcasting the output of select() will fail due to mismatched widths.

Testing
Inspected shapshot test output. Ensure validation still succeeds.

Checklist

  • Run cargo fmt.
  • Run taplo format.
  • Run cargo clippy. If applicable, add:
    • --target wasm32-unknown-unknown
    • --target wasm32-unknown-emscripten
  • Run cargo xtask test to run tests.
  • Add change to CHANGELOG.md. See simple instructions inside file.

@jamienicol
[naga msl-out] Avoid undefined behaviour due to signed integer overflow
2efd0ea 
Signed integer overflow is undefined behaviour in MSL. However, signed
integers are defined to be two's complement. This allows us to cast
signed values to their corresponding unsigned type, perform the
arithmetic on these unsigned values (which has defined overflow
behaviour) then cast the result back to signed.

Care must be taken when emitting the isign polyfill, which uses
metal::select(). We must ensure the -1, 0, and 1 literals used as
inputs to select() have the correct width, else bitcasting the output
of select() will fail due to mismatched widths.
@jamienicol jamienicol requested a review from a team as a code owner January 20, 2025 13:45
@teoxoy teoxoy self-assigned this Jan 20, 2025
teoxoy
teoxoy approved these changes Jan 20, 2025
View reviewed changes
Copy link
Member

@teoxoy teoxoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good stuff!

@teoxoy
Copy link
Member

teoxoy commented Jan 20, 2025

There are some edge cases that will overflow but we have to handle those differently, I will open a new issue for those.

div: T::MIN / -1 = T::MIN
rem: T::MIN % -1 = 0
abs: abs(T::MIN) = T::MIN
neg: -T::MIN = T::MIN

The results above are what the WGSL spec defines.

@teoxoy teoxoy merged commit 1f939e1 into gfx-rs:trunk Jan 20, 2025
30 checks passed
@teoxoy teoxoy mentioned this pull request Jan 20, 2025
Open
@jamienicol jamienicol deleted the msl-signed-overflow branch January 20, 2025 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@teoxoy teoxoy teoxoy approved these changes

Assignees

@teoxoy teoxoy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[naga] Metal output needs to avoid UB due to integer overflow
2 participants
@jamienicol @teoxoy