I had forgotten to clip this in a couple of my attacks. For instance, on the blur defense, I got it down to 7% failures with a simple PGD-20 attack, but forgot to clip inputs, so many of the values were outside this range. With this check added, I had 54% failures. With properly clipping, I was able to bring it down to 8% failures with the same attack.
In general, I don't expect this to be a serious issue for Linf attacks with small epsilon, but will certainly be a big issue for L2 attacks.
I had forgotten to clip this in a couple of my attacks. For instance, on the blur defense, I got it down to 7% failures with a simple PGD-20 attack, but forgot to clip inputs, so many of the values were outside this range. With this check added, I had 54% failures. With properly clipping, I was able to bring it down to 8% failures with the same attack.
In general, I don't expect this to be a serious issue for Linf attacks with small epsilon, but will certainly be a big issue for L2 attacks.