From igorr@speechpro.com  Tue Jun  4 00:47:36 2002
Return-Path: <igorr@speechpro.com>
Received: from speechpro.com (crt-gw.infopro.spb.su [195.201.254.5])
	by hub.freebsd.org (Postfix) with ESMTP id F3C4D37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  4 Jun 2002 00:47:35 -0700 (PDT)
Received: from drweb by sysadm.stc with drweb-scanned (Exim 3.36 #1)
	id 17F92h-000K3o-00
	for FreeBSD-gnats-submit@freebsd.org; Tue, 04 Jun 2002 11:47:47 +0400
Received: from igorr by sysadm.stc with local (Exim 3.36 #1)
	id 17F92h-000K3e-00
	for FreeBSD-gnats-submit@freebsd.org; Tue, 04 Jun 2002 11:47:47 +0400
Message-Id: <E17F92h-000K3e-00@sysadm.stc>
Date: Tue, 04 Jun 2002 11:47:47 +0400
From: Igor Roboul <igorr@speechpro.com>
Reply-To: Igor Roboul <igorr@speechpro.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: bug in vfprinf.c function cvt(...)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         38884
>Category:       misc
>Synopsis:       bug in vfprinf.c function cvt(...)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 04 00:50:01 PDT 2002
>Closed-Date:    Fri Jul 05 01:29:27 PDT 2002
>Last-Modified:  Fri Jul 05 01:29:27 PDT 2002
>Originator:     Igor Roboul
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD sysadm.stc 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Thu May 30 16:13:28 MSD 2002 root@sysadm.stc:/opt/freebsd/obj/opt/freebsd/src/sys/SYSADM i386


	
>Description:
Function cvt(double value, int ndigits, int flags, char *sign, int *decpt,
    int ch, int *length, char **dtoaresultp) in vfprintf.c does not 
check return value of __dtoa(...) for NaN or Infinity value. Because
of this mutt (mail program from ports) sometimes crashes with Sig 10 in 
vfprintf when showing list of attachments or after exitiong from editor when 
composing new message.
	
>How-To-Repeat:
Launch mutt. Then open some mail with attachments, then try get list of 
attachments (press 'v'). Sometimes, really often, mutt crashes with Signal 10.
Same result you can get if you try send new message.
	
>Fix:
I have changed function cvt(...) in file /usr/src/lib/libc/stdio/vfprintf.c
so it checks for *decpt!=9999 (as commented in function __dtoa(...) in file 
/usr/src/lib/libc/stdlib/strtod.c, value 9999 for *decpt indicates Infinity or 
NaN)

Patch bellow:

--- vfprintf.c.orig	Mon Jun  3 16:27:59 2002
+++ vfprintf.c	Tue Jun  4 11:08:59 2002
@@ -1415,17 +1415,19 @@
 	digits = __dtoa(value, mode, ndigits, decpt, &dsgn, &rve,
 			dtoaresultp);
 	if ((ch != 'g' && ch != 'G') || flags & ALT) {
-		/* print trailing zeros */
-		bp = digits + ndigits;
-		if (ch == 'f') {
-			if (*digits == '0' && value)
-				*decpt = -ndigits + 1;
-			bp += *decpt;
-		}
-		if (value == 0)	/* kludge for __dtoa irregularity */
-			rve = bp;
-		while (rve < bp)
-			*rve++ = '0';
+		if(*decpt != 9999 ) { /* not (Infinity or NaN) */
+			/* print trailing zeros */
+			bp = digits + ndigits;
+			if (ch == 'f') {
+				if (*digits == '0' && value)
+					*decpt = -ndigits + 1;
+				bp += *decpt;
+			}
+			if (value == 0)	/* kludge for __dtoa irregularity */
+				rve = bp;
+			while (rve < bp)
+				*rve++ = '0';
+		} 
 	}
 	*length = rve - digits;
 	return (digits);



>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: Igor Roboul <igorr@speechpro.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: misc/38884: bug in vfprinf.c function cvt(...)
Date: Thu, 6 Jun 2002 11:09:51 +1000 (EST)

 On Tue, 4 Jun 2002, Igor Roboul wrote:
 
 > >Description:
 > Function cvt(double value, int ndigits, int flags, char *sign, int *decpt,
 >     int ch, int *length, char **dtoaresultp) in vfprintf.c does not
 > check return value of __dtoa(...) for NaN or Infinity value. Because
 > of this mutt (mail program from ports) sometimes crashes with Sig 10 in
 > vfprintf when showing list of attachments or after exitiong from editor when
 > composing new message.
 >
 > >How-To-Repeat:
 > Launch mutt. Then open some mail with attachments, then try get list of
 > attachments (press 'v'). Sometimes, really often, mutt crashes with Signal 10.
 > Same result you can get if you try send new message.
 
 Can you give some formats and numbers which cause this crash?  Infs and
 NaNs are handled specially after detecting them using isinf() and isnan(),
 so __dtoa() should not even be called for them.
 
 Bruce
 

From: Igor Roboul <igorr@sysadm.stc>
To: Bruce Evans <bde@zeta.org.au>
Cc:  
Subject: Re: misc/38884: bug in vfprinf.c function cvt(...)
Date: Thu, 6 Jun 2002 10:31:48 +0400

 On Thu, Jun 06, 2002 at 11:09:51AM +1000, Bruce Evans wrote:
 > 
 > Can you give some formats and numbers which cause this crash?  Infs and
 > NaNs are handled specially after detecting them using isinf() and isnan(),
 > so __dtoa() should not even be called for them.
 
 With unpatched vfprintf.c I got:
 
 This GDB was configured as "i386-portbld-freebsd5.0"...
 Core was generated by `mutt'.
 Program terminated with signal 10, Bus error.
 Reading symbols from /usr/lib/libncurses.so.5...done.
 Loaded symbols for /usr/lib/libncurses.so.5
 Reading symbols from /usr/local/lib/libintl.so.2...done.
 Loaded symbols for /usr/local/lib/libintl.so.2
 Reading symbols from /usr/local/lib/libiconv.so.3...done.
 Loaded symbols for /usr/local/lib/libiconv.so.3
 Reading symbols from /usr/lib/libc.so.5...done.
 Loaded symbols for /usr/lib/libc.so.5
 Reading symbols from /usr/libexec/ld-elf.so.1...done.
 Loaded symbols for /usr/libexec/ld-elf.so.1
 #0  cvt (value=0, ndigits=1, flags=256, sign=0x282a8736 "",
 decpt=0xbfbfc66c, 
     ch=102, length=0x282a8736, dtoaresultp=0x282a8736)
     at /opt/freebsd/src/lib/libc/stdio/vfprintf.c:1429
 1429                                    *rve++ = '0';
 (gdb) up
 #1  0x28293aa9 in __vfprintf (fp=0xbfbfca00, fmt0=0x80c2180 "%3.1fK", 
     ap=0xbfbfca84 "\200") at
 /opt/freebsd/src/lib/libc/stdio/vfprintf.c:762
 762                             cp = cvt(_double, prec, flags,
 &softsign,
 (gdb) up
 #2  0x2828f022 in snprintf (
     str=0x282aae43 "(4$*(N$*(i$*(\201$*(\232$*($*($*(&*(&*(&*(", 
     n=673875766, fmt=0x282a8736 "")
     at /opt/freebsd/src/lib/libc/stdio/snprintf.c:67
 67              ret = __vfprintf(&f, fmt, ap);
 (gdb) up
 #3  0x0809dabe in mutt_pretty_size (s=0x282acfdc "\030\n", len=128, 
     n=673875766) at muttlib.c:742
 742         snprintf (s, len, "%3.1fK", (n < 103) ? 0.1 : n / 1024.0);
 
 
 -- 
 Igor Roboul, System administrator at Speech Technology Center
 http://www.speechpro.com http://www.speechpro.ru
 

From: Igor Roboul <igorr@speechpro.com>
To: freebsd-gnats-submit@FreeBSD.org, igorr@speechpro.com
Cc:  
Subject: Re: misc/38884: bug in vfprinf.c function cvt(...)
Date: Fri, 21 Jun 2002 12:11:03 +0400

 Error is fixed by recompiling libc with -O instead of -O2
 But I still think that there is nothing wrong with extra check in vfprintf.c
 

From: Igor Roboul <igorr@speechpro.com>
To: freebsd-gnats-submit@FreeBSD.org, igorr@speechpro.com
Cc:  
Subject: Re: misc/38884: bug in vfprinf.c function cvt(...)
Date: Fri, 21 Jun 2002 12:16:24 +0400

 This error is disappeared after recompiling libc with -O instead of -O2, 
 but I still think that extra check in vfprintf.c is not very bad.
 
State-Changed-From-To: open->closed 
State-Changed-By: bde 
State-Changed-When: Fri Jul 5 01:26:57 PDT 2002 
State-Changed-Why:  
Superseded by bin/40209. 

The bug is in __dtoa() or in gcc-3's optimization of __dtoa() at optimization 
levels >= 2. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38884 
>Unformatted:
