From: Vincent Lefevre <vincent@vinc17.net>
To: Xi Ruoyao <xry111@xry111.site>
Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
Subject: Re: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
Date: Thu, 1 Feb 2024 10:07:21 +0100 [thread overview]
Message-ID: <20240201090721.GH3044@qaa.vinc17.org> (raw)
In-Reply-To: <c3bb6b7ce260b36d3db627b3063e061369780264.camel@xry111.site>
On 2024-02-01 14:41:04 +0800, Xi Ruoyao wrote:
> On Thu, 2024-02-01 at 01:51 +0100, Vincent Lefevre wrote:
> > On 2024-02-01 02:47:18 +0800, Xi Ruoyao wrote:
> > > On Wed, 2024-01-31 at 12:52 -0300, Adhemerval Zanella Netto wrote:
> > >
> > > /* snip */
> > >
> > > >
> > > > I see this is an manual issue rather than a GNU 'extension' to qsort semantic.
> > > > And I think we should fix BZ#31322 by using a transitive comparison instead of
> > > > trying to support such cases.
> > >
> > > To me the documentation is correct (though arguably in a very subtle
> > > way):
> > >
> > > Here is an example of a comparison function which works with an array
> > > of numbers of type ‘double’:
> > >
> > > int
> > > compare_doubles (const void *a, const void *b)
> > > {
> > > const double *da = (const double *) a;
> > > const double *db = (const double *) b;
> > >
> > > return (*da > *db) - (*da < *db);
> > > }
> > >
> > > It says "numbers." But NaN literally means, "Not a Number."
> >
> > Yes, the point is to sort numbers. But since NaN may occur, the code
> > must not yield undefined behavior in such a case. This is the goal
> > of NaN: avoid undefined behavior for operations that do not make any
> > sense, and be able to detect errors at the end.
>
> When we sort *numbers* NaN cannot be passed to the comparator.
What I mean is that the intent is to sort numbers. But in any case,
the code needs to consider that NaN may occur; the result would be
an array in an indeterminate order, but the code must not produce
undefined behavior with consequences like memory corruption. If the
code is designed considering that NaN cannot occur, e.g. because
the user is required to ensure that before calling qsort, then
this must explicitly be documented with a non-ambiguous vocabulary
(typically using "assume").
> And I doubt if silently producing a NaN is really good for error
> detection. Simply crashing when an invalid operation happens is
> easier for debugging, IMO. And it's possible with "feenableexcept
> (FE_INVALID)" (where FP exceptions are supported).
Silently producing a NaN on "invalid" inputs is what happens in
practice, following the spec of the IEEE 754 standard. For instance,
sqrt(-1.) silently returns NaN (a flag is also set). But in general,
the user will not check for NaN (by testing the value or the flag)
after every operation/function, even when it is known that they can
generate a NaN. He will let NaN propagate (the flag can also be
checked later as it is sticky).
Note also that getting a NaN does not necessarily mean that the
program is buggy: after a sequence of computations, there may be
code to decide what to do when a NaN is obtained. So enabling
traps for FE_INVALID is not necessarily correct.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
next prev parent reply other threads:[~2024-02-01 9:09 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 14:08 New GNU C Library (glibc) security flaw reported on 30 Jan 2024 Turritopsis Dohrnii Teo En Ming
2024-01-31 14:23 ` Xi Ruoyao
2024-01-31 14:55 ` Vincent Lefevre
2024-01-31 15:52 ` Adhemerval Zanella Netto
2024-01-31 16:23 ` Vincent Lefevre
2024-01-31 16:44 ` Siddhesh Poyarekar
2024-01-31 18:47 ` Xi Ruoyao
2024-02-01 0:51 ` Vincent Lefevre
2024-02-01 1:03 ` Vincent Lefevre
2024-02-01 6:41 ` Xi Ruoyao
2024-02-01 9:07 ` Vincent Lefevre [this message]
2024-02-01 19:55 ` Paul Eggert
2024-02-01 21:11 ` Siddhesh Poyarekar
2024-02-05 0:58 ` Paul Eggert
2024-02-06 15:00 ` Zack Weinberg
2024-02-06 21:30 ` Paul Eggert
2024-02-06 22:04 ` Xi Ruoyao
2024-02-07 17:07 ` Zack Weinberg
2024-02-07 19:55 ` Alexander Monakov
2024-02-07 20:45 ` Zack Weinberg
2024-02-07 21:53 ` Alexander Monakov
2024-02-07 22:56 ` Paul Eggert
2024-04-06 17:17 ` Paul Eggert
2024-04-08 8:28 ` Florian Weimer
2024-04-22 14:39 ` Zack Weinberg
2024-04-23 18:09 ` Paul Eggert
2024-04-23 18:26 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240201090721.GH3044@qaa.vinc17.org \
--to=vincent@vinc17.net \
--cc=adhemerval.zanella@linaro.org \
--cc=ceo@teo-en-ming-corp.com \
--cc=libc-alpha@sourceware.org \
--cc=teo.en.ming@protonmail.com \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).