Re: Fix for JDK Double.parseDouble infinite loop
On Wed, February 2, 2011 17:16, Andrew Haley wrote: The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ This is hitting more and more media. e.g. http://www.channelregister.co.uk/2011/02/07/java_denial_of_service_bug/ Since it seems to be a pretty serious security/denial of service attack maybe we could at least get the fix into IcedTea6 and warn the various distros they should apply it asap for their users? Cheers, Mark
Re: Fix for JDK Double.parseDouble infinite loop
On 7 February 2011 21:48, Mark Wielaard m...@klomp.org wrote: On Wed, February 2, 2011 17:16, Andrew Haley wrote: The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ This is hitting more and more media. e.g. http://www.channelregister.co.uk/2011/02/07/java_denial_of_service_bug/ Since it seems to be a pretty serious security/denial of service attack maybe we could at least get the fix into IcedTea6 and warn the various distros they should apply it asap for their users? Cheers, Mark I'll add it tomorrow. I expect new IcedTea6 releases soon to coincide with the Oracle SSR; see http://www.oracle.com/technetwork/topics/security/alerts-086861.html -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: F5862A37 (https://keys.indymedia.org/) Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
Re: Fix for JDK Double.parseDouble infinite loop
Andrew Haley aph@... writes: The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e- 308/ Also see (filed more than a year ago): https://bugs.openjdk.java.net/show_bug.cgi?id=100119 Best, Ismael
Re: Fix for JDK Double.parseDouble infinite loop
Ismael Juma mlists@... writes: Also see (filed more than a year ago): https://bugs.openjdk.java.net/show_bug.cgi?id=100119 Oops, some of the newer messages were not visible on my reader for some reason. Sorry for the noise. Ismael
Fix for JDK Double.parseDouble infinite loop
The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial bug when parsing strings into Java Double objects. Runtime (java app hang): class runhang { public static void main(String[] args) { System.out.println(Test:); double d = Double.parseDouble(2.2250738585072012e-308); System.out.println(Value: + d); } } DevTime (javac hang): class compilehang { public static void main(String[] args) { double d = 2.2250738585072012e-308; System.out.println(Value: + d); } } The problem is that the estimation of halfUlp is too small in the case where the larger alternative is normal and the smaller is denormal. In this case, the first estimate for 2.22507385850720120e-308 is 2.225073858507200889...e-308, an error of -3.109754e-324 and the second is 2.225073858507201383...e-308, an error of 1.830902e-324 so the second should be chosen. Unfortunately, in the second case the calculated halfUlp is 2^-1076, which is wrong because the next lower number will be denormal. Because denormals don't have the implied 1 bit, they are less accurate than normals, so the next lower number will have the same precision as this number, not twice the precision. Therefore, the estimated halfUlp is too large: it must be 2^-1075. So, I think this may be the correct fix: --- /local/openjdk/jdk6/jdk/src/share/classes/sun/misc/FloatingDecimal.java 2011-02-01 15:28:10.550913741 + +++ /local/icedtea6/openjdk/jdk/src/share/classes/sun/misc/FloatingDecimal.java2011-02-02 12:07:22.292913754 + @@ -1549,7 +1548,7 @@ if ( (cmpResult = bigB.cmp( bigD ) ) 0 ){ overvalue = true; // our candidate is too big. diff = bigB.sub( bigD ); -if ( (bigIntNBits == 1) (bigIntExp -expBias) ){ +if ( (bigIntNBits == 1) (bigIntExp-1 -expBias) ){ // candidate is a normalized exact power of 2 and // is too big. We will be subtracting. // For our purposes, ulp is the ulp of the Andrew.
Re: Fix for JDK Double.parseDouble infinite loop
Andrew Haley wrote: The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial bug when parsing strings into Java Double objects. Thanks for the analysis and patch. We also have a fix from Dmitry Nadezhin that he posted here some time ago (but fell through the cracks for some reason). I expect this issue will be fixed soon. -Alan
Re: Fix for JDK Double.parseDouble infinite loop
On Wed, 2011-02-02 at 20:02 +, Alan Bateman wrote: Andrew Haley wrote: The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial bug when parsing strings into Java Double objects. Thanks for the analysis and patch. We also have a fix from Dmitry Nadezhin that he posted here some time ago (but fell through the cracks for some reason). I expect this issue will be fixed soon. Wow, I did some digging to find this. And it was reported back in 2001 (!): http://bugs.sun.com/view_bug.do?bug_id=4421494 There is even a suggested fix in the report. Dmitry Nadezhin posted about it on the list in 2009: http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-November/003153.html If people are looking into floating point issues now, it might be good to also take a look at the other issues he mentioned in 2010 when he proposed a Math subproject for OpenJDK: http://mail.openjdk.java.net/pipermail/core-libs-dev/2010-January/003556.html Cheers, Mark