Logical Question: clamp in tangent point

[yangshengaa]

Hi! I really enjoy reading your code. It is well organized and documented. 😄

I have a small question on clamp and tangent point. In searching for tangent point, we break the while loop once the generated sample is an adversarial sample. We later clamp the sample to within a feasiable range, say [0, 1].

This is what I saw in the implementation in tangent_attack_hemishpere/attack_with_max_ball.py

def geometric_progression_for_tangent_point(self, x_original, x_boundary, normal_vector, true_labels, target_labels, dist, cur_iter):
        ...

        while True:
            ...
            tangent_point = tangent_point.view_as(x_original).type(x_original.dtype)
            success = self.decision_function(tangent_point[None], true_labels, target_labels)
            num_evals += 1
            if bool(success[0].item()): # * stops as long as it is an adversarial sample, although may not be in the range
               break
            min_radius /= 2.0   
        ...
        tangent_point = torch.clamp(tangent_point, self.clip_min, self.clip_max) # * clamp outside of the while loop
        return tangent_point, ...

I am wondering if this will cause an issue that it remains an adversarial sample prior to clamping but no longer an adversarial sample afterwards. This is in fact what I encounted in practice.

How does your team cope with this issue? It is not evident from the code that any downstream processing check valid an adversarial sample with this tangent point.

Thanks!