gmp_printf bug?
Torbjorn Granlund
tg at gmplib.org
Wed Jul 20 13:05:18 CEST 2011
Vincent Lefevre <vincent at vinc17.net> writes:
On 2011-07-20 10:33:25 +0200, Paul Zimmermann wrote:
> Maybe this is a glibc bug, anyway you can now isolate the problem,
> and report it to the glibc developers if needed.
When I did the test (see MPFR mailing-list), it was on my Mac OS X
machine:
The bug is in GMP. It related to some calculations on the 64-bit
exponent using the 53 bits of accuracy of IEEE double. This leads to
rounding, making some internal sizes slightly too large, which in turn
causes a one-byte stack smash, overwriting the least sigificant byte of
a saved register, which contains a pointer, later to be passed to
realloc.
They stack layout depends on GCC version and optimisation level. That
made it hard to reproduce.
I have no fix yet. The problem is in mpf/get_str.c. I expect similar
problems to appear in more places that uses the mp_bases[] table, but
these extreme exponents.
A possible aproach would be to store the chars_per_bit_exactly field as
an mp_limb_t (which always >= size_t) and use umul_ppmm and keep the
high word. There are a couple of problems with that approach, though.
The integer part of GMP is safe. We never promise more than 2^50 bits
even using mpn (and much less than that when using mpz).
--
Torbjörn
More information about the gmp-bugs
mailing list