Crash @ dtoa/prdtoa.c when running with reduced CPU float precision

RESOLVED FIXED in 4.6.5

Status

NSPR
NSPR
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Wan-Teh Chang)

Tracking

({fixed1.8.0.10, verified1.8.1.2})

4.6.5
x86
Windows XP
fixed1.8.0.10, verified1.8.1.2
Bug Flags:
blocking1.8.1.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate])

Attachments

(2 attachments)

(Assignee)

Description

12 years ago
This crash was first reported in the JavaScript version of
prdtoa.c in bug 358569.

If the CPU float precision is somehow reduced, the following for
loop in dtoa() won't terminate because dval(d) doesn't become 0
due to inaccurate floating-point arithmetic:

		for(i = 1;; i++, dval(d) *= 10.) {
			L = (Long)(dval(d) / ds);
			dval(d) -= L*ds;
#ifdef Check_FLT_ROUNDS
			/* If FLT_ROUNDS == 2, L will usually be high by 1 */
			if (dval(d) < 0) {
				L--;
				dval(d) += ds;
				}
#endif
			*s++ = '0' + (int)L;
			if (!dval(d)) {
#ifdef SET_INEXACT
				inexact = 0;
#endif
				break;
				}
			if (i == ilim) {
#ifdef Honor_FLT_ROUNDS
				if (mode > 1)
				switch(rounding) {
				  case 0: goto ret1;
				  case 2: goto bump_up;
				  }
#endif
				dval(d) += dval(d);
				if (dval(d) > ds || dval(d) == ds && L & 1) {
 bump_up:
					while(*--s == '9')
						if (s == s0) {
							k++;
							*s = '0';
							break;
							}
					++*s++;
					}
				break;
				}
			}
		goto ret1;
		}
(Assignee)

Comment 1

12 years ago
Created attachment 246836 [details]
Test program that reproduces the crash on Windows
(Assignee)

Comment 2

12 years ago
Created attachment 246837 [details] [diff] [review]
Patch by Keith Victor <keith@virtock.com>
Flags: wanted1.8.1.x+
Whiteboard: [sg:moderate]
QA Contact: wtchang → nspr
Wan-Teh: when you split this out of the jsdtoa bug, when did you intend to fix it? Not sure why we didn't just do it at the same time given an existing patch.
Flags: blocking1.8.1.2?
(Assignee)

Comment 4

12 years ago
Dan, this NSPR bug should not block Mozilla 1.8.1.2.  I marked
this bug security-sensitive only because the related JavaScript
bug 358569 is security-sensitive.
(Assignee)

Comment 5

12 years ago
I checked in the patch on the NSPR trunk (NSPR 4.7), the
NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.9 Alpha 2), and
the NSPR_4_6_BRANCH (NSPR 4.6.5).

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 4.4; previous revision: 4.3
done

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 3.7.4.9; previous revision: 3.7.4.8
done

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 4.3.2.1; previous revision: 4.3
done
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.6.5

Comment 6

12 years ago
WTC:  Is there anything left to do in this bug?  Did your NSPR checkins fix this?  Or do we need to review and land Keith Victor's patch?  Please clarify.  Thanks!
(Assignee)

Comment 7

12 years ago
Jay,

The NSPR patch that I checked in is Keith Victor's patch,
adapted for NSPR's version of that file.

The remaining work is:
1. release NSPR 4.6.5
2. MOZILLA_1_8_BRANCH upgrades to NSPR 4.6.5.  We can do
   this in 1.8.1.2.

Comment 8

12 years ago
Setting blocking, but only to make sure we upgrade to NSPR 4.6.5 in time for 1.8.1.2.  

Wan-Teh:  What is the ETA for the NSPR 4.6.5 release?  We are aiming for a 1/18 code freeze for 1.8.1.2. 
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
(Assignee)

Comment 9

12 years ago
Jay: I'll make sure to release NSPR 4.6.5 before your code freeze on 1/18.
(Assignee)

Comment 10

12 years ago
I checked in the fix when I landed NSPR 4.6.5 Beta 1 on the
MOZILLA_1_8_BRANCH today (see bug 363070 comment 11).
Keywords: fixed1.8.1.2
Confirmed use of NSPR 4.6.5 final and NSS 3.11.5 final for 1.8.1 branch.  Check in of these versions was made on 2007-01-18.

Marking verified 1.8.1.2pre verified.
Keywords: fixed1.8.1.2 → verified1.8.1.2
The 1.8.0.10 release also used NSPR 4.6.5
Group: security
Keywords: fixed1.8.0.10
You need to log in before you can comment on or make changes to this bug.