Closed Bug 362134 Opened 14 years ago Closed 14 years ago

Crash @ dtoa/prdtoa.c when running with reduced CPU float precision

Categories

(NSPR :: NSPR, defect)

Product:
NSPR
Component:
NSPR
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

References

Details

(Keywords: fixed1.8.0.10, verified1.8.1.2, Whiteboard: [sg:moderate])

Attachments

(2 files)

Test program that reproduces the crash on Windows
599 bytes, text/plain
Details
Patch by Keith Victor <keith@virtock.com>
751 bytes, patch
Details | Diff | Splinter Review 
This crash was first reported in the JavaScript version of
prdtoa.c in bug 358569.

If the CPU float precision is somehow reduced, the following for
loop in dtoa() won't terminate because dval(d) doesn't become 0
due to inaccurate floating-point arithmetic:

		for(i = 1;; i++, dval(d) *= 10.) {
			L = (Long)(dval(d) / ds);
			dval(d) -= L*ds;
#ifdef Check_FLT_ROUNDS
			/* If FLT_ROUNDS == 2, L will usually be high by 1 */
			if (dval(d) < 0) {
				L--;
				dval(d) += ds;
				}
#endif
			*s++ = '0' + (int)L;
			if (!dval(d)) {
#ifdef SET_INEXACT
				inexact = 0;
#endif
				break;
				}
			if (i == ilim) {
#ifdef Honor_FLT_ROUNDS
				if (mode > 1)
				switch(rounding) {
				  case 0: goto ret1;
				  case 2: goto bump_up;
				  }
#endif
				dval(d) += dval(d);
				if (dval(d) > ds || dval(d) == ds && L & 1) {
 bump_up:
					while(*--s == '9')
						if (s == s0) {
							k++;
							*s = '0';
							break;
							}
					++*s++;
					}
				break;
				}
			}
		goto ret1;
		}
Flags: wanted1.8.1.x+
Whiteboard: [sg:moderate]
QA Contact: wtchang → nspr
Wan-Teh: when you split this out of the jsdtoa bug, when did you intend to fix it? Not sure why we didn't just do it at the same time given an existing patch.
Flags: blocking1.8.1.2?
Dan, this NSPR bug should not block Mozilla 1.8.1.2.  I marked
this bug security-sensitive only because the related JavaScript
bug 358569 is security-sensitive.
I checked in the patch on the NSPR trunk (NSPR 4.7), the
NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.9 Alpha 2), and
the NSPR_4_6_BRANCH (NSPR 4.6.5).

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 4.4; previous revision: 4.3
done

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 3.7.4.9; previous revision: 3.7.4.8
done

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 4.3.2.1; previous revision: 4.3
done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.6.5
WTC:  Is there anything left to do in this bug?  Did your NSPR checkins fix this?  Or do we need to review and land Keith Victor's patch?  Please clarify.  Thanks!
Jay,

The NSPR patch that I checked in is Keith Victor's patch,
adapted for NSPR's version of that file.

The remaining work is:
1. release NSPR 4.6.5
2. MOZILLA_1_8_BRANCH upgrades to NSPR 4.6.5.  We can do
   this in 1.8.1.2.
Setting blocking, but only to make sure we upgrade to NSPR 4.6.5 in time for 1.8.1.2.  

Wan-Teh:  What is the ETA for the NSPR 4.6.5 release?  We are aiming for a 1/18 code freeze for 1.8.1.2.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Jay: I'll make sure to release NSPR 4.6.5 before your code freeze on 1/18.
I checked in the fix when I landed NSPR 4.6.5 Beta 1 on the
MOZILLA_1_8_BRANCH today (see bug 363070 comment 11).
Keywords: fixed1.8.1.2
Confirmed use of NSPR 4.6.5 final and NSS 3.11.5 final for 1.8.1 branch.  Check in of these versions was made on 2007-01-18.

Marking verified 1.8.1.2pre verified.
Keywords: fixed1.8.1.2verified1.8.1.2
The 1.8.0.10 release also used NSPR 4.6.5
Group: security
Keywords: fixed1.8.0.10
You need to log in before you can comment on or make changes to this bug.