From nobody Tue Apr 23 20:04:12 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VPCkN3hjFz5HyrY; Tue, 23 Apr 2024 20:04:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VPCkN31kWz4l63; Tue, 23 Apr 2024 20:04:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713902652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UJMKYG+Llr+Q5GqB5rhccv7ccFDWU/cWsRTKnZ+5pjE=; b=YYy2Zud6QnwLXVS6Es+ryLgIG6C+fwB7KpK7oZ5m6inakOA6q2XQy4BEs/Q9VufgYgliqO 9C/NT8/kLCt+QDg9T8603gGTxX9Zr1rWRBMnlKS6pyZuMhBVTa5CHg0nxUkFwHwXwqeMDG YipxlLGceusCjPnEGxif4BncT4MZiqyOZ0cnzx1oiBfDARcn+/0S21pVLbcIgCVJhJZyvt Uh2UzZsTj18gvq8p+NodPBB6pVacHl693CoDs0zdeKJ3KbHDODcTjHhJFIv+8ViolUH3D0 kyOvkT6HKECOr5pAxg11W6Vm4E+gNZjIz+3XE/Jc9ReYK038fJ0hXtOMrdTowQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713902652; a=rsa-sha256; cv=none; b=ouqHfNbPmW34wCab7t+/W+YIL8K47rN0efaG+gnASdUGK6D4ep6M0OuFST0/0NHhNvfy88 lmtkErZvZru7rDP3d/K3A2+UNCGgM0KUW/cmg9FDj7VVrnm1JxE6zJQ5MTQ4yJ22eWDVQL MuceyZExsaERbA8ZY1bMNR9ywC0LMY7JJPjCLK6vxRxzbqTEAEXDbe6X7Yd78/AjB8edpH 0EyNqY3C9dWtwAX849jMbhYNW0mEnScqz2pybxbB2GQdwpSKSuCMMw6E5OGlmt4aRQI8iI 7XiRWdTJqs4gVhC5oLgTp5f3jK64DmkKFrXD2/H2KaoTs5egKxCU6kkQfmR6vw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713902652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UJMKYG+Llr+Q5GqB5rhccv7ccFDWU/cWsRTKnZ+5pjE=; b=wA3+6MI/Hbfr26oXDZqqQAY7KtH1cgty8RfEhgfgpOgxQlwH4ebjnyjWB/TXr4XmVgSAQv sRumvjaj1qNix3ntpeXzBbUqxXp0yMkLV12JoC99EJQKFj7clPcbilCs8LU36U5g00jPwE 8SzvU8OocXza78+HG/bgXr3BKOdVk4OLQe1ZztQKqldQ/mrbvuGeWbYUYTsiERdluJgfkV 63+IgRRdfcyyrTZn+zRZ9PSRZLDA7vPZk80hybQ0xYbAlb6h9IVxNHvaEzdnQkZwtRJO8N eLJUcKAaRYC3PxUm1Cn+lyfgmCewUWmci6PpJDTbKRoLY3KvTb4IsJw2mHiEKg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VPCkN2dfszlgN; Tue, 23 Apr 2024 20:04:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43NK4C4I011985; Tue, 23 Apr 2024 20:04:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43NK4C5i011982; Tue, 23 Apr 2024 20:04:12 GMT (envelope-from git) Date: Tue, 23 Apr 2024 20:04:12 GMT Message-Id: <202404232004.43NK4C5i011982@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Warner Losh Subject: git: e75a1bbc233b - main - pow,powf(3),__ieee754_rem_pio2(f): Avoid negative integer left shift UB List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e75a1bbc233bf112b9eb98a20ad4bdf9bc14b2cf Auto-Submitted: auto-generated The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=e75a1bbc233bf112b9eb98a20ad4bdf9bc14b2cf commit e75a1bbc233bf112b9eb98a20ad4bdf9bc14b2cf Author: Karl Tomlinson AuthorDate: 2024-04-23 18:18:25 +0000 Commit: Warner Losh CommitDate: 2024-04-23 20:04:07 +0000 pow,powf(3),__ieee754_rem_pio2(f): Avoid negative integer left shift UB A compiler clever enough to know that z is positive with a non-zero biased exponent could, for example, optimize away the scalbnf(z,n) in pow() because behavior for left shift of negative values is undefined. `n` is negative when y*log2(|x|) < -0.5. i.e. |x^y| < sqrt(0.5) The intended behavior for operator<< in this code is to shift the two's complement representation of the first operand. In the pow() functions, the result is added to the IEEE 754 exponent of z = 2^y'. n may be negative enough to underflow the biased IEEE 754 exponent below zero, which is manifested in the sign bit of j (which would correspond to the IEEE 754 sign bit). The conversion from uint32_t to int32_t for out-of-int32_t-range values is implementation defined. The assumed behavior of interpreting the uint32_t value as a two's complement representation of a signed value is already assumed in many parts of the code, such as uses of GET_FLOAT_WORD() with signed integers. This code passes all the current tests, and makes some out of tree fuzzing tests pass again rather than hit UB (detailed in the commentary of the pull request). Signed-off-by: Karl Tomlinson Reviewed by: imp, steve kargl, dim Pull Request: https://github.com/freebsd/freebsd-src/pull/1137 --- lib/msun/src/e_pow.c | 6 +++++- lib/msun/src/e_powf.c | 6 +++++- lib/msun/src/e_rem_pio2.c | 2 +- lib/msun/src/e_rem_pio2f.c | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/msun/src/e_pow.c b/lib/msun/src/e_pow.c index 85afacdbb6a2..85d1d551b6fb 100644 --- a/lib/msun/src/e_pow.c +++ b/lib/msun/src/e_pow.c @@ -299,7 +299,11 @@ pow(double x, double y) r = (z*t1)/(t1-two)-(w+z*w); z = one-(r-z); GET_HIGH_WORD(j,z); - j += (n<<20); + /* + * sign bit of z is 0. + * sign bit of j will indicate sign of 0x3ff-biased exponent. + */ + j += (int32_t)((u_int32_t)n<<20); if((j>>20)<=0) z = scalbn(z,n); /* subnormal output */ else SET_HIGH_WORD(z,j); return s*z; diff --git a/lib/msun/src/e_powf.c b/lib/msun/src/e_powf.c index 2e7c37542a77..9f670bcd1caa 100644 --- a/lib/msun/src/e_powf.c +++ b/lib/msun/src/e_powf.c @@ -242,7 +242,11 @@ powf(float x, float y) r = (z*t1)/(t1-two)-(w+z*w); z = one-(r-z); GET_FLOAT_WORD(j,z); - j += (n<<23); + /* + * sign bit of z is 0. + * sign bit of j will indicate sign of 0x7f-biased exponent. + */ + j += (int32_t)((u_int32_t)n<<23); if((j>>23)<=0) z = scalbnf(z,n); /* subnormal output */ else SET_FLOAT_WORD(z,j); return sn*z; diff --git a/lib/msun/src/e_rem_pio2.c b/lib/msun/src/e_rem_pio2.c index 76ae8050d36b..8a4006498a17 100644 --- a/lib/msun/src/e_rem_pio2.c +++ b/lib/msun/src/e_rem_pio2.c @@ -162,7 +162,7 @@ medium: /* set z = scalbn(|x|,ilogb(x)-23) */ GET_LOW_WORD(low,x); e0 = (ix>>20)-1046; /* e0 = ilogb(z)-23; */ - INSERT_WORDS(z, ix - ((int32_t)(e0<<20)), low); + INSERT_WORDS(z, ix - ((int32_t)((u_int32_t)e0<<20)), low); for(i=0;i<2;i++) { tx[i] = (double)((int32_t)(z)); z = (z-tx[i])*two24; diff --git a/lib/msun/src/e_rem_pio2f.c b/lib/msun/src/e_rem_pio2f.c index 744060f18010..d9a3e2e34c46 100644 --- a/lib/msun/src/e_rem_pio2f.c +++ b/lib/msun/src/e_rem_pio2f.c @@ -67,7 +67,7 @@ __ieee754_rem_pio2f(float x, double *y) } /* set z = scalbn(|x|,ilogb(|x|)-23) */ e0 = (ix>>23)-150; /* e0 = ilogb(|x|)-23; */ - SET_FLOAT_WORD(z, ix - ((int32_t)(e0<<23))); + SET_FLOAT_WORD(z, ix - ((int32_t)((u_int32_t)e0<<23))); tx[0] = z; n = __kernel_rem_pio2(tx,ty,e0,1,0); if(hx<0) {*y = -ty[0]; return -n;}