Skip to content

vello_common: harden gradient LUT against invalid stop positions #1311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
waywardmonkeys wants to merge 1 commit into
base: main
Choose a base branch
from
Open

vello_common: harden gradient LUT against invalid stop positions #1311

waywardmonkeys wants to merge 1 commit into from

Conversation

@waywardmonkeys
Copy link
Collaborator

@waywardmonkeys waywardmonkeys commented Dec 1, 2025

  • Sanitize gradient stop positions with sanitize_stop_position to clamp NaNs, infinities, and out-of- range values into [0, 1].
  • Use sanitized positions in determine_lut_size and LUT ramp construction to ensure indices are finite, monotonic, and within bounds.
  • Keep the 4-wide write in GradientLut::new bounded by lut_size so very small LUTs cannot trigger end- index panics.
  • Add targeted tests to verify sanitization behavior and ensure GradientLut handles infinite and out-of-range stop offsets without panicking.

@waywardmonkeys
vello_common: harden gradient LUT against invalid stop positions
44cc593 
- Sanitize gradient stop positions with `sanitize_stop_position` to clamp NaNs, infinities, and out-of-
  range values into [0, 1].
- Use sanitized positions in `determine_lut_size` and LUT ramp construction to ensure indices are finite,
  monotonic, and within bounds.
- Keep the 4-wide write in `GradientLut::new` bounded by `lut_size` so very small LUTs cannot trigger end-
  index panics.
- Add targeted tests to verify sanitization behavior and ensure `GradientLut` handles infinite
  and out-of-range stop offsets without panicking.
@waywardmonkeys
Copy link
Collaborator Author

waywardmonkeys commented Dec 1, 2025

This should fix against the panic mentioned by @nicoburns in a comment in #1302.

Some notes / questions:

  • We should probably improve some handling of this with Peniko.
  • Callers should definitely do better.
  • We should probably document these invariants better?
  • Should I debug_assert instead of clamping / sanitizing to make callers fix their code? Or debug_assert, but still sanitize for non-debug-assertions builds?

tomcur
tomcur reviewed Dec 1, 2025
View reviewed changes
sparse_strips/vello_common/src/encode.rs
Comment on lines +44 to +53
fn sanitize_stop_position(pos: f32) -> f32 {
if pos.is_nan() {
0.0
} else if pos.is_infinite() {
if pos.is_sign_negative() { 0.0 } else { 1.0 }
} else {
pos.clamp(0.0, 1.0)
}
}

Copy link
Member

@tomcur tomcur Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following is a branchless way to do this.

Suggested change
fn sanitize_stop_position(pos: f32) -> f32 {
if pos.is_nan() {
0.0
} else if pos.is_infinite() {
if pos.is_sign_negative() { 0.0 } else { 1.0 }
} else {
pos.clamp(0.0, 1.0)
}
}
#[inline]
fn sanitize_stop_position(pos: f32) -> f32 {
pos.max(0.).min(1.)
}

f32:{max,min} don't propagate NaNs (so the NaN gets turned in to 0., if pos.max(0.) is first).

https://godbolt.org/z/nrzG75b1K

https://play.rust-lang.org/?version=stable&mode=debug&edition=2024&gist=3cd614c3df1900afdee1a4c481e5625a

LaurenzV
LaurenzV requested changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@LaurenzV LaurenzV left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have a method that aims to validate the gradient before even encoding it:

vello/sparse_strips/vello_common/src/encode.rs

Line 240 in 8b1fb9b

fn validate(gradient: &Gradient) -> Result<(), Paint> {

So I feel like it might be better to just add this additional case here? Not much point in trying to fix a gradient that is fundamentally broken. 😄

@LaurenzV
Copy link
Contributor

LaurenzV commented Dec 1, 2025

I'm actually surprised this doesn't already work, because we already are checking that each stop is between 0 and 1...

@waywardmonkeys
Copy link
Collaborator Author

waywardmonkeys commented Dec 1, 2025

I will figure out why and fix it!

@waywardmonkeys
Copy link
Collaborator Author

waywardmonkeys commented Dec 1, 2025

(I already know why, just have to drive home)

@nicoburns nicoburns added the C-sparse-strips Applies to sparse strips variants of vello in general label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomcur tomcur tomcur left review comments

@LaurenzV LaurenzV LaurenzV requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

C-sparse-strips Applies to sparse strips variants of vello in general

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@waywardmonkeys @LaurenzV @tomcur @nicoburns