UB in various hypot() implementations (left-shifting a negative number)

Steve Kargl sgk at troutmask.apl.washington.edu
Sat Nov 16 18:02:29 UTC 2019 

The patch for hypotl() is likely unneeded as there is no shifting
of a negative integer in the code being changed.  Does csqrt_test.c
pass without Jeff's patch?

This is the original code

     u_int32_t high;
     t1 = 1.0;
     GET_HIGH_WORD(high,t1);
     SET_HIGH_WORD(t1,high+DESW(k));

high + DESW(k) = high + k
               = 16383 + k

and this is the code after the patch

     t1 = 0.0;
     SET_HIGH_WORD(t1,ESW(k));

ESW(k) = MAX_EXP - 1 + k
       = LDBL_MAX_EXP - 1 + k
       = 16384 - 1 + k
       = 16383 + k

So, in principle there is no functional change.

-- 
steve

On Sat, Nov 16, 2019 at 11:03:19PM +0800, Li-Wen Hsu wrote:
> I did a quick test, it seems one regression test fails:
> 
> lwhsu at x1c:/usr/tests/lib/msun > kyua debug csqrt_test:main
> 1..18
> ok 1 - csqrt
> ok 2 - csqrt
> ok 3 - csqrt
> ok 4 - csqrt
> ok 5 - csqrt
> ok 6 - csqrt
> ok 7 - csqrt
> ok 8 - csqrt
> ok 9 - csqrt
> ok 10 - csqrt
> ok 11 - csqrt
> ok 12 - csqrt
> ok 13 - csqrt
> ok 14 - csqrt
> ok 15 - csqrt
> ok 16 - csqrt
> Assertion failed: (creall(result) == ldexpl(14 * 0x1p-4, exp / 2)),
> function test_overflow, file
> /usr/home/lwhsu/freebsd-src/lib/msun/tests/csqrt_test.c, line 236.
> Process with PID 18700 exited with signal 6 and dumped core;
> attempting to gather stack trace
> [New LWP 101179]
> Core was generated by `/usr/tests/lib/msun/csqrt_test'.
> Program terminated with signal SIGABRT, Aborted.
> #0  thr_kill () at thr_kill.S:3
> 3       RSYSCALL(thr_kill)
> #0  thr_kill () at thr_kill.S:3
> #1  0x00000008004543a4 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
> #2  0x00000008003c3029 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
> #3  0x0000000800440e71 in __assert (func=<optimized out>,
> file=<optimized out>, line=<optimized out>, failedexpr=<optimized
> out>) at /usr/src/lib/libc/gen/assert.c:51
> #4  0x00000000002040bd in test_overflow (maxexp=16384) at
> /usr/home/lwhsu/freebsd-src/lib/msun/tests/csqrt_test.c:236
> #5  0x0000000000202a91 in main () at
> /usr/home/lwhsu/freebsd-src/lib/msun/tests/csqrt_test.c:363
> GDB exited successfully
> Files left in work directory after failure: csqrt_test.core
> csqrt_test:main  ->  broken: Received signal 6
> 
> I haven't checked the details, but I definitely need experts in this
> field to help.
> 
> Thanks,
> Li-Wen
> 
> 
> On Thu, Nov 14, 2019 at 7:22 AM Steve Kargl
> <sgk at troutmask.apl.washington.edu> wrote:
> >
> > Looks good to me.  Just need to convince someone to commit it.
> >
> > --
> > steve
> >
> >
> > On Wed, Nov 13, 2019 at 02:43:04PM -0800, Jeff Walden wrote:
> > >
> > > Just wanted to note here that I filed https://reviews.freebsd.org/D22354 to fix a bit of undefined behavior in the hypot() function implementations.
> > >
> > > `hypot(x, y)` computes `sqrt(x*x + y*y)`, with IEEE-754-aware precision.  For very large or small `x` or `y`, the naive implementation would lose precision -- so in such cases the calculation is performed after multiplying the numbers by a very large (or very small) power of two, then the multiplication is undone at end.
> > >
> > > Undoing the multiplication involves multiplying a quantity `w` by `2**k`, where `k` (which may be positive or negative) was computed depending on the particular `x` and `y` values provided.  Current algorithms generally take `t1=0.0`, extract the high word, add `k<<20` or `k<<23` to it to appropriately bump the exponent, then overwrite `t1`'s high word.  But it seems equally effective to take `t1=0.0`, then write `(1023+k)<<20` or `(127+k)<<23` to it for identical effect -- and `k` is never so negative to compute a negative value.  My changes do this.  (I wish there were named constants I could use for all these numbers, but as there don't seem to be any, magic numbers seems like the best I can do.)
> > >
> > > Errors in these changes would most likely produce a power of two off by a factor of two, so *probably* testing any inputs that would happen to invoke these code paths should be adequate testing.  I'm fixing this in order to upstream a likely fix in the SpiderMonkey JavaScript engine for this, so the (double, double) algorithm/change is the only one I have (purely manually) tested.  Eyeballs on the other functions' changes especially appreciated!
> > >
> > > Jeff
> > > _______________________________________________
> > > freebsd-numerics at freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-numerics
> > > To unsubscribe, send any mail to "freebsd-numerics-unsubscribe at freebsd.org"
> >
> > --
> > Steve
> > 20170425 https://www.youtube.com/watch?v=VWUpyCsUKR4
> > 20161221 https://www.youtube.com/watch?v=IbCHE-hONow
> > _______________________________________________
> > freebsd-numerics at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-numerics
> > To unsubscribe, send any mail to "freebsd-numerics-unsubscribe at freebsd.org"

-- 
Steve
20170425 https://www.youtube.com/watch?v=VWUpyCsUKR4
20161221 https://www.youtube.com/watch?v=IbCHE-hONow

More information about the freebsd-numerics mailing list