Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PHP Floating Point Bug Crashes Servers

timothy posted more than 3 years ago | from the inexactly-wrong dept.

Bug 213

angry tapir writes "A newly unearthed bug in certain versions of the PHP scripting language could crash servers when the software is given the task of converting a large floating point number, raising the possibility that the glitch could be exploited by hackers. The bug will cause the PHP processing software to enter an infinite loop when it tries to convert the series of digits "2.2250738585072011e-308" from the string format into the floating point format. The bug only seems to affect version 5.2 and 5.3 of the language." Adds reader alphadogg: "Computer scientist Rick Regan first reported the bug on Monday, and the PHP development team issued patches the following day."

cancel ×

213 comments

Sorry! There are no comments related to the filter you selected.

1 day turn-around (3, Informative)

iONiUM (530420) | more than 3 years ago | (#34780564)

The 1 day turn around for a patch is pretty impressive. I wish some bigger companies would offer such fast patches against vulnerabilities..

Re:1 day turn-around (-1)

Anonymous Coward | more than 3 years ago | (#34780666)

Can someone please explain to me why all these OSS projects are able to turn around security updates so fast and Microsoft cannot? With all its ridiculous funding? I'm really not trying to troll, I just do not understand why such a well funded group of developers can't get these fixes out the door faster.

Re:1 day turn-around (1)

hazah (807503) | more than 3 years ago | (#34780692)

There is no profit in it.

Re:1 day turn-around (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34780848)

Or, the OSS software gives it to you for free, but 'as is'. So they can go "Here's a fix for it. If we break something else, we're not responsible. We may try to fix that, or you can go fix it yourself."

In Microsoft's case, if they break something down the line, they have potential lawsuits against them. They try to use EULA's to try and protect themselves, but it's not foolproof. They're dealing with real money, so they have people trying to mitigate further issues. And that usually means heavy testing, on a wide range of their operating system versions and a wide range of hardware configurations.

Re:1 day turn-around (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34781014)

this is the biggest load of BS I've heard in a while... are you a Microsoft lackey or something?

If you want to talk liability: for every published bug they receive, they then _know_ about something that is broken, and (pretending for a second they couldn't use the EULA to protect themselves) they would be liable for any damages that arise from them not acting at that point. Breaking other shit by mistake with the update is not nearly as serious as not taking action against a known problem.

Stop regurgitating the corporate doublespeak... you have presented no good reason for their patches taking forever and open source patches arriving quickly. There may very well be other good reasons, but you haven't stumbled upon any by trying to sound like a middle-management know-nothing suit.

Re:1 day turn-around (1)

Shikaku (1129753) | more than 3 years ago | (#34781388)

He's not kidding nor exaggerating at all. If a security fix breaks $foo, then, only because Microsoft and $foo's company is in the USA, can be liable to be sued for it.

http://blog.seattlepi.com/microsoft/archives/109471.asp [seattlepi.com] An example of a bad update breaking an MS product.

Also if it breaks the system on a laptop or desktop environment as in it won't boot, then people would be extremely mad and businesses will sue.

Re:1 day turn-around (3, Insightful)

0123456 (636235) | more than 3 years ago | (#34781500)

He's not kidding nor exaggerating at all. If a security fix breaks $foo, then, only because Microsoft and $foo's company is in the USA, can be liable to be sued for it.

When was the last time anyone successfully sued a software company for something like that?

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34781674)

Never. But it makes for good FUD that lackeys and middle managers can tell. Most companies don't want to spend millions of dollars on a lawsuit, and Microsoft knows it, but lackeys and middle managers don't.

Re:1 day turn-around (1)

Anonymous Coward | more than 3 years ago | (#34781784)

That is a ridiculous example you've provided, and it does not at all support the argument against quick turnarounds on minor bugs.

The article linked is about an attempted class action filing from 2006 regarding Micriosoft *bricking* Xbox consoles with a forced update (most likely the update was targetted at _purposefully_ bricking modded/chipped consoles). In this case, the complainants wanted Microsoft to pay for the shipping charges to get the unit restored, since (and this is key) Microsoft provides no other way to restore the unit besides sending it back to them. Btw, do you have any updates on if the class action was even allowed to go forward?

When (recently) antivirus software caused people's computers to be unbootable suddenly, there was no class action suit against Microsoft or whatever the anti-virus company was. The users just had to re-install their OS if they wanted it to be usable immediately. Tough cookies for them.

Just because people would be angry if their computer becomes unbootable after an update, doesn't mean the software provider is liable if indeed your computer doesn't boot after the update.

Also, don't forget that we're talking here about 1-day turnaround vs. (months of denial first) and then possibly up to a month after they get around to fixing it after they admit there is a problem...

Let's not forget the scope we're talking about here before pulling in all kinds of outrageous examples: the equivalent of this bug would be a floating point calculation in an ASP.net web page locking up an IIS server. If a well-funded programming team isn't able to turn around a simple patch that doesn't fucking brick your whole OS in less than a month, then the users should be angrier about the overcomplicated piece of shit bill of goods they were sold on in the first place, not the simple patch that exposed how crappy the system is.

Re:1 day turn-around (1)

msobkow (48369) | more than 3 years ago | (#34782284)

Microsoft hardware driver updates have repeatedly bricked my systems over the years. I no longer allow them to install hardware updates.

I bitched and whined about the reinstall, but I never even thought about suing anyone for it.

Maybe if I was 'merican...

Re:1 day turn-around (1)

Hotawa Hawk-eye (976755) | more than 3 years ago | (#34781762)

...Breaking other shit by mistake with the update is not nearly as serious as not taking action against a known problem.

Let's say Microsoft writes a patch for an issue affecting 0.01% of its user base and deploys it immediately. The patch fixes the problem that 0.01% of the user base is having, but causes a different problem that 0.02% of its user base encounters. Is that a good thing? Sure, for those people who were affected by the first problem but not the second. Those who were affected by neither don't care. Those who were affected by both are still stuck (albeit with a different problem.) And those who were not affected by the first problem but are affected by the second just got broken.

Now those percentages may sound small, and they are. But even a small percentage of a huge number can lead to a large problem. 0.02 percent of 1 billion (a nice round number that a little Google searching for the total number of PCs in existence found) is 200,000. That means Microsoft just broke close to two hundred thousand machines, assuming all those PCs had an affected version of Windows and installed the patch. Even if you cut that by a factor of ten to account for Linux and Mac installations / people who didn't install the patch immediately / etc, that's still TWENTY THOUSAND machines. I'd call breaking tens of thousands of PCs just a wee bit serious.

Now should Microsoft fix bugs quickly? Sure, but quickly is not the same thing as immediately. They should take a _reasonable_ amount of time to reduce the chances that by fixing Peter they break Paul.

Re:1 day turn-around (5, Informative)

Anonymous Coward | more than 3 years ago | (#34780784)

Two primary reasons:
1. This was a relatively trivial, extremely specific, easily reproducible bug, so fixing it was quick and low risk.
2. A major vendor like Microsoft has to do extensive testing of patches as well as give ample warning to dozens of software partners who may or may not be using some bizarre workaround for the bug or be depending on it's broken behavior. An OSS project can just put it out and let their users choose whether or not to upgrade and deal with the potential ramifications.

Note that I'm not necessarily saying one or the other is better here, it's a matter of preference and for most people it's probably situational.

Re:1 day turn-around (0)

Lennie (16154) | more than 3 years ago | (#34781016)

What you see a lot in the case of Microsoft bugs is, it usually comes from stupid design decisions in the past. Sometimes they just give up and just disable a feature completely.

It is really fun to watch. A lot of the times you can even predict them. Take for example Windows DCOM RPC, I predicted this would be a problem before Windows XP was released.

(if I remember correctly)

Microsoft releases Windows Vista "a completely new version".

They say our development model which leads to much safer code and we've checked old code as well.

Then, look at what happends, a DCOM RPC bug is found all versions of Windows from NT 4 up to Vista are vulnerable.

Nice. :-)

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34781272)

Are you saying that PHP doesn't suffer problems caused by stupid decisions in the past?

Re:1 day turn-around (1)

Lennie (16154) | more than 3 years ago | (#34781408)

I was talking about OSS in general, PHP is not a very good example of that though. They made many mistakes in the past. :-/

Re:1 day turn-around (4, Funny)

Anonymous Coward | more than 3 years ago | (#34781966)

PHP is made of 100% pure premium stupid decision.

Re:1 day turn-around (2)

TheRaven64 (641858) | more than 3 years ago | (#34782192)

No, PHP has features caused by stupid decisions in the past.

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34781162)

Two primary reasons:
1. This was a relatively trivial, extremely specific, easily reproducible bug, so fixing it was quick and low risk.
2. A major vendor like Microsoft has to do extensive testing of patches as well as give ample warning to dozens of software partners who may or may not be using some bizarre workaround for the bug or be depending on it's broken behavior. An OSS project can just put it out and let their users choose whether or not to upgrade and deal with the potential ramifications.

Note that I'm not necessarily saying one or the other is better here, it's a matter of preference and for most people it's probably situational.

You missed a major third reason. Even if Microsoft fixes and regression-tests a bug in a day or less, they won't make it available for up to a month. This is due to their decision to go with a monthly patch cycle.

OSS projects either would not or could not embargo a security update to prevent their customers from getting it as soon as it's ready. Microsoft and many other closed source vendors like Adobe and Oracle do. Microsoft pitches this as an advantage (predictable updates!), and I laugh out loud every time I hear one of their marketing people say it.

Re:1 day turn-around (1)

PIBM (588930) | more than 3 years ago | (#34781810)

This is not available in the latest PHP release either. So, for most people it will have to wait until the next release, which can be a long time. Often, you can get a specific patch from microsoft before their monthly release cycle, so I guess it's pretty much the same.

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34782358)

This is not available in the latest PHP release either. So, for most people it will have to wait until the next release, which can be a long time. Often, you can get a specific patch from microsoft before their monthly release cycle, so I guess it's pretty much the same.

I think you're confusing unrelated issues. For PHP, those who want the patch can get it and apply it, right now. The fact that it isn't rolled into the current release doesn't matter as long as users of the current release apply the patch separately. Most systems will not be updated using the one-day turnaround patch, but will instead wait until their respective distributions update their PHP packages and send out updates. This way is slower, but easier, and will still have the patch out there in well under a month, even if it does take more than a day.

The security updates that Microsoft makes available on Patch Tuesday have never been available before the monthly release cycle. Not even once. Their non-security updates are sometimes available earlier, and they very occasionally release a security patch earlier than Patch Tuesday. But the security updates actually released on Patch Tuesday are simply not available to the public on Monday, ever. Even though, in many cases, they've been fully regression-tested for weeks.

That looks like a huge difference to me.

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34781734)

People who depend on buggy behavior deserve what they get.

Re:1 day turn-around (5, Insightful)

pstorry (47673) | more than 3 years ago | (#34780904)

Risk management.

Every change is a potential new bug. Even your security patch may bring a new security issue.

You test and you test and you test, but nothing's certain in the eyes of management. So the shipping is delayed, the testing continues, and eventually you have a batch of bugfixes and patches you're fairly certain works well together. Traditionally, you call that collection a service pack, and you ship... ;-)

(Remember the blue-screen problems a Microsoft patch caused some folks a while back? That was embarrassing. So don't kid yourself that this isn't risky.)

This is also why companies prefer to move to an established "cadence" or rhythm. Monthly security patching is Microsoft's preference, for example. IBM has some software divisions which keep to a four or six month "point release" shipping schedule. Not good enough for v9.0.2? Well, it'll probably be in v9.0.3in six month's time...

That cadence helps with testing, and reduces the risk you're taking, and therefore helps to preserve your reputation and therefore your business.

Open source projects often just ship "when it's ready", and are more open anyway. They're not thinking like a company which is trying to manage its reputation and maximise business (well, profits really).

An open source project just wants to ship something that's reliably usable and useful. That changes their motivations, and therefore changes their management of patching and shipping...

Re:1 day turn-around (1)

Lennie (16154) | more than 3 years ago | (#34781164)

"You test and you test and you test, but nothing's certain in the eyes of management. So the shipping is delayed, the testing continues"

This is how Microsoft does it:
http://www.youtube.com/watch?v=rOwMW6agpTI [youtube.com]

That does not look like how you described it.

Re:1 day turn-around (3, Informative)

dlgeek (1065796) | more than 3 years ago | (#34781222)

See this [joelonsoftware.com] article for some examples about the efforts Microsoft goes through in their regression testing (especially follow through the links to Raymond Chen's blog). When Microsoft has a patch, they run it through huge server farms of boxes with hundreds of thousands of different configurations and commercial software package installed, making sure none of it breaks. Their patches include all kinds of extra workarounds to ensure software that relies on undocumented interfaces continues working.

I'm as anti-microsoft as the next guy here, but the cases really aren't comparable, and you have to give them credit for their thoroughness.

Re:1 day turn-around (1)

LingNoi (1066278) | more than 3 years ago | (#34781824)

Joel hasn't worked for Microsoft for more then a decade now.

Re:1 day turn-around (1)

dlgeek (1065796) | more than 3 years ago | (#34782242)

He was quoting Raymond Chen who is one of the key windows devs.

Re:1 day turn-around (1)

Lennie (16154) | more than 3 years ago | (#34780846)

1 day, really that long ? ;-)

I've sometimes even seen 1 hour or even minutes from certain OSS projects. I guess it was trivial to fix.

Re:1 day turn-around (5, Informative)

I8TheWorm (645702) | more than 3 years ago | (#34780866)

It's because they're not spending their time improving thread-safe modules, ternary operators, flip flopping again on defaulting magic_quotes, or understanding pragmatism :)

Re:1 day turn-around (0)

MichaelKristopeit339 (1967532) | more than 3 years ago | (#34781032)

they seem to understand democracy more than some.

cower behind your chosen pseudonym some more, feeb.

you're completely pathetic.

Re:1 day turn-around (1, Troll)

Anonymous Coward | more than 3 years ago | (#34781034)

In typical PHP fashion, the patch doesn't actually fix the underlying problem, it simply checks for that one specific string. Seriously, stop gloating for 30 seconds, check the source and cringe at the incompetence.

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34781768)

Except it doesn't, retard.

Re:1 day turn-around (2)

hawguy (1600213) | more than 3 years ago | (#34781934)

In typical PHP fashion, the patch doesn't actually fix the underlying problem, it simply checks for that one specific string. Seriously, stop gloating for 30 seconds, check the source and cringe at the incompetence.

What are you talking about? There is more than one number that triggers the problem, and the patch does not do a simple string comparison.

http://svn.php.net/viewvc/php/php-src/trunk/Zend/zend_strtod.c?r1=304407&r2=307095&pathrev=307095 [php.net]

Re:1 day turn-around (1)

Goaway (82658) | more than 3 years ago | (#34782150)

They... added a volatile?

What the hell is that function doing, if it requires that?

Re:1 day turn-around (1)

hawguy (1600213) | more than 3 years ago | (#34782326)

They... added a volatile?

What the hell is that function doing, if it requires that?

Good question - I asked the same thing in a post below, but no one has answered yet.

Re:1 day turn-around (1)

Patman64 (1622643) | more than 3 years ago | (#34782382)

It has to do with the x87 FPU apparently. I guess the compiler is what wrecks it. All volatile means is "don't optimize this variable: we need a real reference every time from the hardware."

Re:1 day turn-around (1)

Goaway (82658) | more than 3 years ago | (#34782472)

If you need to add volatiles to your code to get it to run right, then either code is doing low-level hardware accesses, is multithreaded (and some say you shouldn't be using volatile even for that), or else it is completely broken. That, or the compiler is broken.

I have a really hard time thinking up a scenario where adding a volatile like that would actually be the correct fix, and not just a change that makes the code work by random chance. It sure seems like the actual problem should be elsewhere.

Re:1 day turn-around (0)

Anonymous Coward | more than 3 years ago | (#34782496)

Yeah but the vulnerability still exists in many distributions. I just checked the last Ubuntu LTS and it's still vulnerable.

sKillZ ? 1 day patch cycle. (-1, Redundant)

unity100 (970058) | more than 3 years ago | (#34780570)

thats something you dont see from closed source vendors. that's php for you.

Hmmmm (5, Funny)

Anonymous Coward | more than 3 years ago | (#34780592)

Step 1: Write stuff in PHP
Step 2: ???
Step 2.9999990834239320: Profit!

Re:Hmmmm (1)

drunkennewfiemidget (712572) | more than 3 years ago | (#34780636)

I came here to make some sort of joke like that, but this one is better, so there's no point in me trying.

Re:Hmmmm (1)

Andrewkov (140579) | more than 3 years ago | (#34781042)

2.2250738585072011e-308 is the combination to my luggage?

Re:Hmmmm (0)

Anonymous Coward | more than 3 years ago | (#34781596)

with ants

CmdrTaco was quote as saying (1)

Anonymous Coward | more than 3 years ago | (#34780604)

imgladiusedperl

Re:CmdrTaco was quote as saying (1)

MrEricSir (398214) | more than 3 years ago | (#34781066)

I thought people who used Perl only spoke in regular expressions?

Re:CmdrTaco was quote as saying (2)

localman57 (1340533) | more than 3 years ago | (#34781308)

That is a regular expression. It searches for the word imgladiusedperl .

You remember the php bug you found yesterday ? (1)

unity100 (970058) | more than 3 years ago | (#34780650)

you actually havent found it ! hahaha. something like that ?

a better patch performance than this would be to actually go back in time and fix the bug before it is discovered. but then again, there would be no bug and no bugfixing would be needed. alternate timecycle breakdown ?

Re:You remember the php bug you found yesterday ? (2)

Algorithmnast (1105517) | more than 3 years ago | (#34780908)

Please - don't you remember the last time we did that?

Oh, I guess you wouldn't.

2.2250738585072011e-308 (0)

Anonymous Coward | more than 3 years ago | (#34780664)

2.2250738585072011e-308 isn't even a large number, imagine what 1 could do!

Re:2.2250738585072011e-308 (0)

Anonymous Coward | more than 3 years ago | (#34780944)

Just to be safe I try to keep numbers under 1.112537e-308. Anything else is way to big for practical use anyways.

Re:2.2250738585072011e-308 (1)

enec (1922548) | more than 3 years ago | (#34781652)

1.112537e-308 ought to be enough for anybody.

That's actually a small number, a lot less than 1. (0)

Anonymous Coward | more than 3 years ago | (#34780744)

Way less than 1.

sh1t... (-1)

Anonymous Coward | more than 3 years ago | (#34780802)

min0tes. If that.

Why does this code even exist? (5, Interesting)

TheRaven64 (641858) | more than 3 years ago | (#34780824)

Maybe I'm missing something, but why does PHP have its own version of strtod()? It's a standard C99 function, so you'll find it in libc or equivalent in any C99-compliant platform (including Windows) and more effort has probably gone into optimising that version than the PHP version, although if you're converting from strings to floating point values anywhere performance critical then you're probably Doing It Wrong.

Did the Zend team think that there weren't enough security holes in PHP and decide to increase the attack surface?

Re:Why does this code even exist? (1)

Anonymous Coward | more than 3 years ago | (#34780928)

Did the Zend team think that there weren't enough security holes in PHP and decide to increase the attack surface?

I thought that was the rational for all of PHP.

Re:Why does this code even exist? (1)

EkriirkE (1075937) | more than 3 years ago | (#34781150)

There are several bugs in their conversion functions (data integrity)- apparently they don't bother fixing them unless it does something like take down a server.

Re:Why does this code even exist? (1)

flyingfsck (986395) | more than 3 years ago | (#34781204)

Yes, but C wasn't invented here....

Re:Why does this code even exist? (4, Informative)

fishbowl (7759) | more than 3 years ago | (#34781226)

>Maybe I'm missing something, but why does PHP have its own version of strtod()?

That's a very good question. PHP's strtod is quite complicated, has its own memory allocator, does its own localization and rounding, and it is going to some lengths to ensure its own thread safety. If I were to guess, my guess would be that some of the target platforms for PHP/Zend are deficient in these areas.

Re:Why does this code even exist? (1)

TheRaven64 (641858) | more than 3 years ago | (#34782014)

Localization I can almost understand. OS X is the only platform I know of that lets you specify a per-thread locale that functions like this respect. But memory allocator? It's converting a string to a double - it shouldn't need a memory allocator at all, it just scans a string and collects the digits into a mantissa and exponent then. And thread safety? It's a pure function! It doesn't need any thread safety!

Re:Why does this code even exist? (2)

BradleyUffner (103496) | more than 3 years ago | (#34782120)

Localization I can almost understand. OS X is the only platform I know of that lets you specify a per-thread locale that functions like this respect. But memory allocator? It's converting a string to a double - it shouldn't need a memory allocator at all, it just scans a string and collects the digits into a mantissa and exponent then. And thread safety? It's a pure function! It doesn't need any thread safety!

each thread in windows has its own independent localization settings also.

Re:Why does this code even exist? (2)

localman57 (1340533) | more than 3 years ago | (#34782240)

I don't think you understand how floats work. You don't "just collect them". You have to convert them into a fraction represented as a power of two. The exponent is a power of two, not a power of 10. The mantissa is the numerator of that fraction, typically with the leading 1 removed. Granted, this is something that could occur on the stack.

As for thread safety, there's a lot of math that has to happen to cacluate that fraction. On many systems, particularly embedded systems on micros without a float unit, static locations are allocated for this temporary memory, because stack accesses are often very slow on low end micros without good indexed-address instruction sets. Therefore, it is expected that the floating point libraries are not to be used reentrantly. If you launch multiple threads (or do floats at different interrupt levels) you have to save the float library static space as part of your context.

Re:Why does this code even exist? (1)

localman57 (1340533) | more than 3 years ago | (#34782302)

An interesting side effect of this, by the way, is that the number 0.1 cannot be exactly represented as an IEEE floating point number.

Re:Why does this code even exist? (1)

MichaelKristopeit333 (1966806) | more than 3 years ago | (#34782446)

an interesting side effect of PHP, by the way, is the string "0.1" can be stored, and casting that value to a float for display will not alter it.

Re:Why does this code even exist? (1)

Malard (970795) | more than 3 years ago | (#34781278)

Given that it only affects 5.2 and 5.3, (and without reviewing the codebase) maybe they did move to strtod() since.

Re:Why does this code even exist? (3, Informative)

Anthracks (532185) | more than 3 years ago | (#34781642)

Except 5.3 is the latest version, so that doesn't make sense.

Re:Why does this code even exist? (1)

Yetihehe (971185) | more than 3 years ago | (#34781618)

if you're using PHP anywhere performance critical then you're probably Doing It Wrong.

FTFY. (disclaimer: I'm programming in php daily and I like it).

Re:Why does this code even exist? (1)

Anonymous Coward | more than 3 years ago | (#34782058)

if you're using PHP anywhere then you're probably Doing It Wrong.

FTFY. (disclaimer: I'm programming in php daily and I like it).

(I program in PHP daily, and it's second only to MySQL in causing me grief.)

Re:Why does this code even exist? (0)

wmbetts (1306001) | more than 3 years ago | (#34782558)

Sounds like you need to learn how to use the language a little bit better.

Re:Why does this code even exist? (1)

Wrath0fb0b (302444) | more than 3 years ago | (#34781938)

Maybe I'm missing something, but why does PHP have its own version of strtod()? It's a standard C99 function, so you'll find it in libc or equivalent in any C99-compliant platform (including Windows) and more effort has probably gone into optimising that version than the PHP version

Sometimes the overhead required to take values between languages actually makes doing it in the lower performance language slower, even if it's more highly optimized. This obviously manifests itself much more readily in quicker functions like strtod() where the overhead is likely to be large relative to the actual execution time. .

Just for a taste, in Python (I'm no php expert) in order to call a C function you must context switch (flush registers), unbox the value into the native type, perform the operation, rebox the value into the Python type, then context switch back to the interpreter. Here's the strdod() example in python (I think) with the error handling


int
Py_strtod(PyObject const *string, PyObject *target)
{
        target = 0;
        if ( !PyString_check(string) )
                return -1; /* Should we set something so the caller knows why this failed? */
        const char* const cstr = PyString_AsString(string);
        const double cdoub = strtod(cstr,NULL);
        if ( 0 != errno ) /* something something */
        target = PyFloat_FromDouble(cdoub);
        if ( PyError_Occured() ) /* something something */

        return 0; // Success
}

So in the process of using the faster C function, we've changed context a twice and had to check for a number of errors that are impossible to throw otherwise. Is it worth it for strtod()? Maybe, but not surely.

Re:Why does this code even exist? (0)

Anonymous Coward | more than 3 years ago | (#34782570)

you are new in php, right ?

DoS also needed (1)

ickleberry (864871) | more than 3 years ago | (#34780954)

Yes each time someone access it will start an infinite loop, but each PHP page has a max. processing time (usually set to around 30 seconds). So still quite a number of requests to the offending page are needed to bring the server down.

To try the bug for yourself: $a = (float) "2.2250738585072011e-308";

Re:DoS also needed (1)

domatavus (1927700) | more than 3 years ago | (#34782414)

Fixed on monday? I'm running "PHP 5.3.4-pl0-gentoo (cli) (built: Jan 1 2011 15:31:19)" in an interactive shell, but I can't seem to trigger the bug...

Floating point bugs (2)

hhedeshian (1343143) | more than 3 years ago | (#34781148)

Sweet. PHP finally has the qualifications to enter the X86 CPU market.

2.2250738585072011e-308 (1)

Javajunk (1957446) | more than 3 years ago | (#34781154)

2.2250738585072011e-308 is a pretty specific number, is the bug just associated with this number or are there more potential floats out there waiting to be found?

Re:2.2250738585072011e-308 (2)

VGPowerlord (621254) | more than 3 years ago | (#34781386)

2.2250738585072011e-308 is a pretty specific number, is the bug just associated with this number or are there more potential floats out there waiting to be found?

It's one digit (the last one before the e; should be a 4 instead of a 1) from the minimum positive value for an IEEE-754 double precision floating-point number.

Re:2.2250738585072011e-308 (1)

dumbunny (75910) | more than 3 years ago | (#34781598)

This number is just smaller than 2^(-1022).

According to python, 2.0 ** -1022 == 2.2250738585072014e-308. You can check that last significant digit in the mantissa using integer math in python:

>>> x = 22250738585072011
>>> y = 22250738585072014
>>> for num in xrange(1022): x *= 2; y *= 2 ...
>>> print str(x)[:20], '...', str(x)[-20:]
99999999999999987277 ... 51323238920926265344
>>> print str(y)[:20], '...', str(y)[-20:]
10000000000000000075 ... 77840486139094368256

The number in question is just beyond the range that fp is intended enough to handle, but probably not far enough for some initial validation logic to catch. It is probably not too difficult for the bug fixers to verify that the range issues are handled properly now that they know about it.

Even I could patch this... (0)

Anonymous Coward | more than 3 years ago | (#34781186)

if ($input == "2.2250738585072011e-308") { return 2.2250738585072011e-308;}

Re:Even I could patch this... (0)

Anonymous Coward | more than 3 years ago | (#34781390)

Why just that one value?

They should have a table that maps the appropriate string to each possible float value.

Infinite loop seems appropriate (3, Funny)

gstrickler (920733) | more than 3 years ago | (#34781330)

I mean, for all practical purposes, it's an infinitely small number, so why shouldn't it be an infinite loop?

Very large? (4, Interesting)

GrAfFiT (802657) | more than 3 years ago | (#34781352)

Am I the only one to notice that 2.2250738585072011e-308 is not very large?
Apparently, some journalists need a patch too.

My 2.2250738585072011e-308 cents.

Nope not just you. (1)

ericvids (227598) | more than 3 years ago | (#34781554)

And yep TFA did qualify it as the largest subnormal double-precision number. Of course the journalist probably didn't know what that meant.

arg (0)

Anonymous Coward | more than 3 years ago | (#34781376)

Anyone found the equivalent of this and then felt the need to beat someone to death?

floor ( some_$_amount * some_factor + 0.5 )

Hey! That's the combination to my luggage! (1)

damn_registrars (1103043) | more than 3 years ago | (#34781406)

I guess I'll have to keep the copy of the combo somewhere other than on my PHP server now...

Wow, that's an extremely LARGE number you've got! (0)

Anonymous Coward | more than 3 years ago | (#34781444)

Tired of being "normal"? Our brand of V146R4 can give you a subnormally large PEN15! Order NOW!

Birds (1)

SnarfQuest (469614) | more than 3 years ago | (#34781542)

Are blackbird OS's written in PHP? Also fishes?

*Now* can we admit PHP sucks? (2, Insightful)

MostAwesomeDude (980382) | more than 3 years ago | (#34781708)

The inconsistent type system, lack of Unicode support, lack of namespaces, quirky parser, and other stupidities (== vs. ===) weren't enough, so. Is this bug inane enough to actually get people to realize that PHP bites?

Re:*Now* can we admit PHP sucks? (2)

LingNoi (1066278) | more than 3 years ago | (#34781894)

PHP has namespaces.

Re:*Now* can we admit PHP sucks? (0)

Leolo (568145) | more than 3 years ago | (#34781922)

Everybody inteligent already knows that PHP bites. That doesn't prevent it from being widely used.

Re:*Now* can we admit PHP sucks? (3, Insightful)

MichaelKristopeit332 (1966804) | more than 3 years ago | (#34781952)

i've been saying this about intel chips for DECADES... why won't anyone listen? INTEL CHIPS SUCK! they once handled a single floating point edge case incorrectly! AND THEN THEY FIXED IT! WHY WOULD ANYONE USE AN INTEL CHIP?

ignorant hypocritical marketeering = the highest level of insight.

slashdot = stagnated.

Re:*Now* can we admit PHP sucks? (1)

wmbetts (1306001) | more than 3 years ago | (#34781970)

I wish I could mod you up. Pretty much everything the OP complained about has been addressed.

Re:*Now* can we admit PHP sucks? (1)

Anonymous Coward | more than 3 years ago | (#34782182)

PHP also has unicode support

Re:*Now* can we admit PHP sucks? (1)

Bigbutt (65939) | more than 3 years ago | (#34782270)

Alternate suggestions? Just curious as I do some PHP scripting for various things.

[John]

Re:*Now* can we admit PHP sucks? (1)

rev0lt (1950662) | more than 3 years ago | (#34782590)

Funny how so many languages don't have unicode support, namespaces, have sometimes a quirky browser, ambiguous commands and people aren't claiming it sucks. Perhaps the best example is the C language - you probably used more code written in C to post your disliking of php than you will ever program in any language during your lifetime.

Some parts of php.net search affected (2)

MrP- (45616) | more than 3 years ago | (#34781814)

Search http://us3.php.net/ [php.net] for 2.2250738585072011e-308 and the page hangs and then returns an error. Search for something else like 2.2250738585072011e-307 and it's fine.

Searching the main www.php.net isn't affected.

So looks like some parts of php.net are still running the affceted version.

Who uses floating point input in PHP? (0)

FunkyELF (609131) | more than 3 years ago | (#34781890)

Just curious?
I'm wondering what kind of PHP software would use floating point as an input.
I'm trying to think of all the PHP stuff I run at home and at work and can't think of a single instance. (MediaWiki, Ampache, Gallery, Bugzilla).

Re:Who uses floating point input in PHP? (1)

wmbetts (1306001) | more than 3 years ago | (#34782516)

Anything that deals with shipping with USPS apis would. I've seen people get hung up on why some value (i forget example what now) was being returned incorrectly. Turns out they had to cast the value to a float before passing it to the api.

how does the patch work? (1)

hawguy (1600213) | more than 3 years ago | (#34781898)

I don't understand why the patch solves the problem....though I haven't done any serious software development for years. It looks like all they did was add the "volatile" keyword to a variable declaration.

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/Zend/zend_strtod.c?r1=307095&r2=307094&pathrev=307095 [php.net]

From:

double aadj, aadj1, adj;

To:

volatile double aadj, aadj1, adj;

But after quickly reviewing the code, I don't see why the volatile keyword fixes this problem. It doesn't appear to be multithreaded code where another thread could stomp on the variable, and it just seems to be straight arithmetic, it doesn't seem like they are handing it off to a math coprocessor and then later waiting for the variable to be set.

Does the volatile keyword change the compiler optimizations in a way that avoids the problem?

Point (0)

Anonymous Coward | more than 3 years ago | (#34781904)

How many servers are still on 32-bit processors? I'm sure they're out there, but Opterons were 64-bit at least 7 years ago and Xeons about 6 years ago. If you've got servers older than 6 years or are running servers on commodity hardware, OK. But is this really a widespread issue? One issue could be running 32-bit VM hosts, I suppose, on hardware that doesn't have VT extensions (and thus hosts must be 32-bit).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>