This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)

From: Carlos O'Donell <carlos_odonell at mentor dot com>
To: "Joseph S. Myers" <joseph at codesourcery dot com>
Cc: <libc-alpha at sourceware dot org>
Date: Mon, 27 Aug 2012 14:49:19 -0400
Subject: Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
References: <Pine.LNX.4.64.1208121826210.4075@digraph.polyomino.org.uk> <502E4C1B.4080708@redhat.com> <Pine.LNX.4.64.1208171527090.28916@digraph.polyomino.org.uk> <4017223.GpIs7WQhcm@byrd> <Pine.LNX.4.64.1208271654140.12461@digraph.polyomino.org.uk> <503BACD5.3010305@mentor.com> <Pine.LNX.4.64.1208271821480.12461@digraph.polyomino.org.uk>

On 8/27/2012 2:38 PM, Joseph S. Myers wrote:
> On Mon, 27 Aug 2012, Carlos O'Donell wrote:
> 
>> This patch adds a dozen new asserts to the various code paths.
>>
>> Could you explain in some detail why the asserts are needed as
>> opposed to diagnosing a condition and returning an error?
> 
> The only error permitted for strtod in errno is ERANGE (which can only be 
> detected in general by setting errno before the call and testing it 
> afterwards); the return value is specified for all inputs, based on 
> interpreting the maximal initial subsequence of the specified form.  There 
> is no way to return any kind of error other than that the specified value 
> results in overflow / underflow.
> 
> The assertions are of two kinds: (a) those where assertion failure would 
> indicate a bug in the code and (b) those where implementation limits are 
> exceeded.  Those of type (a) (several pre-existing) help avoid bugs in one 
> part of the code propagating into possible undefined behavior, including 
> overflows, in the rest of the code, and make it easier for human readers 
> to see what the expectations are of the code at each point.  Those of type 
> (b) are more directly aimed at ensuring an integer overflow cannot occur: 
> calculations where it might not be clear that there are no overflow 
> possibilities have an assertion added that the following calculation does 
> not overflow.

Thanks for the explanation.

This is OK with me for 2.16 given that you've tested on 64-bit and 32-bit builds.

Please checkin to the 2.16 branch.

Cheers,
Carlos.
-- 
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026

Follow-Ups:
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Joseph S. Myers

References:
- Fix strtod integer/buffer overflow (bug 14459)
  - From: Joseph S. Myers
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Florian Weimer
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Joseph S. Myers
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Andreas Jaeger
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Joseph S. Myers
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Carlos O'Donell
- Re: Ping Re: Fix strtod integer/buffer overflow (bug 14459)
  - From: Joseph S. Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]