This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Crash in FP printing code
- From: Daniel Jacobowitz <drow at mvista dot com>
- To: libc-alpha at sources dot redhat dot com
- Date: Mon, 15 Sep 2003 00:02:16 -0400
- Subject: Crash in FP printing code
I'm seeing a crash on i386-pc-linux-gnu in print_fp. Test code:
int data[] = {0x00000000, 0x00000000, 0x00000cd0};
struct ieee {
unsigned int mantissa1:32;
unsigned int mantissa0:30;
unsigned int quiet_nan:1;
unsigned int one:1;
unsigned int exponent:15;
unsigned int negative:1;
unsigned int empty:16;
} *pieee = data;
long double *doub = (long double *) data;
int main()
{
char *ret = 0;
printf ("%.35Lg\n", *doub);
vasprintf (&ret, "%.35Lg", doub);
printf ("%s\n", ret);
}
That number is:
$2 = {mantissa1 = 0, mantissa0 = 0, quiet_nan = 0, one = 0, exponent = 3280, negative = 0, empty = 0}
which ought to be a perfectly valid floating point number, as far as I can
tell?
It crashes in __mpn_rshift.
726 else if (BITS_PER_MP_LIMB - 1 - cnt_h <= cnt_l)
727 {
728 (void) __mpn_rshift (frac, tmp + i, tmpsize - i,
729 BITS_PER_MP_LIMB - 1 - cnt_h);
730 fracsize = tmpsize - i;
731 }
732 else
(gdb) p frac
$4 = (mp_limb_t *) 0xbfffe73c
(gdb) p *frac
$5 = 0
(gdb) p tmp + i
$6 = (mp_limb_t *) 0xbfffeb20
(gdb) p tmpsize - i
$7 = -450
(gdb) p cnt_h
$8 = 200
-> 64 L(oop): movl (%esi,%edx,4),%ebx /* load next higher limb */
65 shrdl %cl,%ebx,%eax /* compute result limb */
66 movl %eax,(%edi,%edx,4) /* store it */
(gdb) p/x $esi
$5 = 0xbfffe418
(gdb) p/x $edx
$6 = 0x6fa
(gdb) p/x $esi + $edx * 4
$7 = 0xc0000000
i.e. it reads off the stack.
It looks like the problem is the fact that i == 665... but how it got there
involves a maze of twisty little gmp routines, and I have no idea.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer