Date: Tue, 13 Dec 2005 14:30:18 +0100 (CET) From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/90333: libc/gdtoa::__hldtoa() bug Message-ID: <200512131330.jBDDUI5e012563@critter.freebsd.dk> Resent-Message-ID: <200512131340.jBDDe34p077759@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 90333 >Category: bin >Synopsis: libc/gdtoa::__hldtoa() bug >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 13 13:40:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Poul-Henning Kamp >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD critter.freebsd.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #5: Sat Sep 17 14:53:58 CEST 2005 root@critter.freebsd.dk:/freebsd/src/sys/i386/compile/CRITTER i386 >Description: /* You're not supposed to hit this problem */ For some denormalized long double values, a bug in __hldtoa() (called from *printf()'s %A format) results in a base 16 digit being rounded up from 0xf to 0x10. When this digit is subsequently converted to string format, an index of 10 reaches past the end of the uppper-case hex/char array, picking up whatever the code segment happen to contain at that address. This mostly seem to be some character from the upper half of the byte range. When using the %a format instead of %A, the first character past the end of the lowercase hex/char table happens to be index 0 in the uppercase hex/char table hextable and therefore the string representation features a '0', which is supposedly correct. This leads me to belive that the proper fix _may_ be as simple as masking all but the lower four bits off after incrementing a hex-digit in libc/gdtoa/_hdtoa.c:roundup(). I worry however that the upper bit in 0x10 indicates a carry not carried. Until das@ or bde@ finds time to visit this issue, extend the hexdigit arrays with a 17th index containing '?' so that we get a invalid but consistent and printable output in both %a and %A formats whenever this bug strikes. This unmasks the bug in the %a format therefore solving the real issue may both become easier and more urgent. Possibly related to: PR 85080 With help by: bde@ Revision Changes Path 1.71 +2 -2 src/lib/libc/stdio/vfprintf.c >How-To-Repeat: #include <ieeefp.h> #include <stdio.h> #include <math.h> #include <vis.h> static void pri(const char *fmt, double d) { char buf[BUFSIZ], buf2[BUFSIZ]; sprintf(buf, fmt, d, d, d, d); strvis(buf2, buf, VIS_OCTAL); printf("[%s]\n", buf2); } int main(int argc, char **argv) { long double x, y; int i; pri("%-.1LA", 1.0); pri("%-.21LA", 1.0); fpsetprec(FP_PE); x = 0xF.FC0000000000000000000p-1022; y = pow(2.0, -1022.0); y *= y; /* -2044 */ y *= y; /* -4088 */ y *= y; /* -8176 */ y *= y; /* -16352 */ y *= pow(2.0, -35.0); /* -16387 */ y *= pow(2.0, 1022.0); /* -16387+1022 */ x *= y; /* 0XF.FC0000000000000000000p-16387 degcc'ed */ printf("%-.1LA\n", x); return (0); } >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512131330.jBDDUI5e012563>