When generating uniform noise in random start, floating point number will cause invalid pixel value.

[Line290]

In here,replace x = x_nat + np.random.uniform(-self.epsilon, self.epsilon, x_nat.shape) with x = x_nat + np.random.random_integers(int(-self.epsilon), int(self.epsilon), x_nat.shape) Actually, x_nat is discrete and converted from UINT8, but uniform noise got from np.random.uniform() is continuous if we ignore machine word-length. When doing PGD adversarial training, I think FLOAT type maybe ok. However, when generating adversarial examples, I think we should restrict adversarial space in a meaningful space, says UINT8. What's more, in run_attack.py, we should make sure all pixel values in an adversarial image can map to UINT8.

[dtsip]

I see your point. Yes, if you wanted to only evaluate on valid pixel values with random start you would need to do this modification. Note that this is not an issue when using integer PGD step size and no random start.

Conceptually, we are evaluating against a more powerful adversary which is allowed to use floats. So we are only underestimating the true robustness. Given that we don't expect rounding to have a huge impact (it is less than 0.5 in Linf norm) using float random start is fine.