Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Java Floating Point Bug Can Lock Up Servers

Roblimo posted more than 3 years ago | from the here-a-bug-there-a-bug-everywhere-a-bug-bug dept.

Java 157

An anonymous reader writes "Here we go again: Just like the recently-reported PHP Floating Point Bug causes servers to go into infinite loops when parsing certain double-precision floating-point numbers, Sun/Oracle's JVM does it, too. It gets better: you can lock up a thread on most servers just by sending a particular header value. Sun/Oracle has known about the bug for something like 10 years, but it's still not fixed. Java Servlet containers are patching to avoid the problem, but application code will still be vulnerable to user input."

cancel ×

157 comments

Sorry! There are no comments related to the filter you selected.

About face! (0)

Citizen of Earth (569446) | more than 3 years ago | (#35146428)

Sun/Oracle has known about the bug for something like 10 years, but it's still not fixed.

Betcha it'll be fixed tomorrow!

Re:About face! (1)

gstrickler (920733) | more than 3 years ago | (#35146454)

It's amazing how fast public disclosure can get bugs fixed.

Unless... (2)

MrEricSir (398214) | more than 3 years ago | (#35146508)

...it's a critical bug in an Adobe product. Then it's going to linger for months, if not years.

Re:Unless... (3, Insightful)

gstrickler (920733) | more than 3 years ago | (#35146702)

Aren't Adobe products were simply a collection of bugs, artfully put together to form a useful, but slow and insecure program.

Hex. (1)

zooblethorpe (686757) | more than 3 years ago | (#35147012)

The supercomputer Hex. [lspace.org] Only at the Unseen University. "Anthill Inside"!

Re:Unless... (1)

haruchai (17472) | more than 3 years ago | (#35147020)

damn, i ran out of mod points yesterday. +3 Insightful to you, +5 Funny

Re:Unless... (0)

gstrickler (920733) | more than 3 years ago | (#35147112)

Great sig.

Re:Unless... (0)

Anonymous Coward | more than 3 years ago | (#35149672)

Adobe even has a way to combine both. They inherited Macromedia's JRun.

Re:About face! (0)

Anonymous Coward | more than 3 years ago | (#35146634)

Well, fast, good, or cheap: pick any two.
And Java is pretty cheap.

Re:About face! (1)

gstrickler (920733) | more than 3 years ago | (#35146724)

Unstable overrides cheap every time. I'll take stable and fast for $200, Alex.

Re:About face! (1)

MightyMartian (840721) | more than 3 years ago | (#35147006)

Or get your ass sued for daring to reveal long-standing bugs that the assholes that maintain it have consistently refused to fix.

Re:About face! (1)

DrXym (126579) | more than 3 years ago | (#35148434)

Actually it's more amazing how a well described, reproducible error which illustrates a security flaw gives rise to a fix. Sounds like the previous bugs were too vague to isolate the issue. Bug databases always end up with bugs like that. Go look how many bugs Firefox has open on it for example.

Re:About face! (3, Insightful)

petermgreen (876956) | more than 3 years ago | (#35149342)

Yeah bugs that pop up every so often to end users (and are common enough or reported by trusted enough users that they can't just by dismissed as coming from liers/trolls) but only pop up sporadically and/or only pop up on certain systems are a big problem for developers. With no reliable way to reproduce a bug it is almost impossible to fix it.

Even more irritating are the bugs that dissapear as soon as you try to use a debugger.

The firefox memory and CPU usage issues are good examples of this. Way too many users reported them to dismiss them as a lie or fluke but there was no set of steps to reproduce. Every so often one cause was found and squashed but they kept coming up for years and may still be doing so (I still see firefox crash for no apparent reason and it wouldn't surprise me if the cause is running out of address space).

Re:About face! (3, Informative)

sixfive0two (1984966) | more than 3 years ago | (#35146628)

Actually, it's already fixed: Oracle has released a fix for this issue through Security Alert CVE-2010-4476. For more information see: http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html [oracle.com]

Re:About face! (1)

gstrickler (920733) | more than 3 years ago | (#35146728)

Like I said, it's amazing how fast public disclosure can get bugs fixed. Even ones that have been known for 10 years.

Re:About face! (1)

scdeimos (632778) | more than 3 years ago | (#35147028)

Bug ID 4399272 trumps the one mentioned in the article and was logged 08-Dec-2000. As with 4421492 it's no longer available on the Sun site, but it's still in Google's cache [googleusercontent.com] .

Re:About face! (1)

petermgreen (876956) | more than 3 years ago | (#35149436)

That bug from 2000 reports an issue in the parsing code but doesn't appear to be a DOS like the one under discussion here.

Bullshit! (4, Funny)

Anonymous Coward | more than 3 years ago | (#35146464)

Java is a secure virtual machine environment. Programs never crash and low level errors like pointer or memory problems are impossible. There is no way this floating point thing is real.

Java is the future and you are retarded. Java is the fastest programming language ever invented, that's why it's the primary language we learn and teach in school.

I have been a HTML programmer for many years, I know what I'm talking about.

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35146588)

Yes! HTML Variables for the win!

Re:Bullshit! (1, Funny)

Citizen of Earth (569446) | more than 3 years ago | (#35146604)

Java is the fastest programming language ever invented

That's why it's used to implement all video codecs!

Re:Bullshit! (1, Funny)

maxwell demon (590494) | more than 3 years ago | (#35148142)

Java is the fastest programming language ever invented

That's why it's used to implement all video codecs!

No, video codecs are implemented in Flash because Java always makes those ugly coffee blotches on the videos.

Re:Bullshit! (1)

fire4ever (630478) | more than 3 years ago | (#35149516)

Java is the fastest programming language ever invented

That's why it's used to implement all video codecs!

No, video codecs are implemented in Flash because Java always makes those ugly coffee blotches on the videos.

But Flash is implemented in Java...

Re:Bullshit! (2, Informative)

Anonymous Coward | more than 3 years ago | (#35146606)

Actually, this is not a security bug allowing someone to break into the server or run their own code. The only possible exploit is using up CPU time. If a server is setup properly, it will not lockup the machine, but it still allows an easy vector DoS against the application and/or application server.

Re:Bullshit! (1)

CharredMetal (1463333) | more than 3 years ago | (#35147198)

DOS is classified as a security issue.

Re:Bullshit! (1)

dkf (304284) | more than 3 years ago | (#35148606)

DOS is classified as a security issue.

Depends on the deployment configuration. It's often quite easy to mitigate DoS attacks that only hit a single layer of the overall architecture (e.g., by replicating servers and adding a watchdog that restarts things if they go unresponsive for too long). The tricky ones are those that involve many levels, especially if they just look like lots of normal traffic.

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147282)

What you wanted to say:

The very simple demonstration of the effect of an inconsistency of floating point number handling locks up the java thread executing the example code.

Unless somebody looks very closely, there is no reason to believe that other algorithms where somebody intentionally injects numbers triggering inconsistencies are safe against tempering in a more substential way.

the assertion that a=somethinglikeidentity(b) results in a-b=0 may be important elsewhere.

Re:Bullshit! (1)

AmiMoJo (196126) | more than 3 years ago | (#35148644)

It is still quite critical for anyone who develops internet accessible apps using Java. One person can DoS your entire system with some bad data.

Re:Bullshit! (1)

arth1 (260657) | more than 3 years ago | (#35149256)

It doesn't matter much if the box is running or not; if the application server that is the reason for the box isn't, the server is considered down.

That it's so incredibly easy to exploit is another issue.
Allegedly, the following works against most web servers that accept different languages:

curl -H 'Accept-Language: en-us;q=2.2250738585072012e-308' $URL

Then there are form fields which accept doubles. Including a lot of payment forms.

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35149906)

If you can target it at specific components, it can be a security bug.

Re:Bullshit! (2, Funny)

Anonymous Coward | more than 3 years ago | (#35147004)

>>> is no way this floating point thing is real.

Are you insinuating an int thing is real, if floating point thing is not real?

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147032)

You don't program HTML, artard!

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147794)

sarcasm is your thing...

Re:Bullshit! (4, Funny)

the Atomic Rabbit (200041) | more than 3 years ago | (#35147054)

There is no way this floating point thing is real.

It has to be real. Java lacks built-in support for complex numbers.

Re:Bullshit! (2)

prionic6 (858109) | more than 3 years ago | (#35147998)

Not only is it real, it is rational!

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147316)

You forgot how awesome its graphics processing abilities are. For instance, its graphics libraries only use unsigned byte and short data formats for processing grayscale images... And the fucking language has no unsigned types.

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147730)

I find it sad that you're not just being funny, but channeling that retard 'coder' we've all seen - sadly he exists. :(

Re:Bullshit! (0)

Anonymous Coward | more than 3 years ago | (#35147868)

I thought this article was "Java Floating Point Bug Can Lock Up Sewers", so I clicked on it. I'm gratified to see that there is at least some bullshit here.

Re:Bullshit! (1)

snookiex (1814614) | more than 3 years ago | (#35149326)

HTML programmer

That's the actual joke

And how soon was the PHP bug fixed again ? (0)

unity100 (970058) | more than 3 years ago | (#35146522)

dont answer - it wasnt even a day. a shorter fix would only be possible with a time machine.

Re:And how soon was the PHP bug fixed again ? (1)

Anonymous Coward | more than 3 years ago | (#35146740)

The PHP bug was reported on Dec. 30 and fixed I think on Jan. 3, which is 5 days. I'm pretty sure it doesn't take a time machine to make a one-line fix that quickly!

dom

Re:And how soon was the PHP bug fixed again ? (1)

Eunuchswear (210685) | more than 3 years ago | (#35148150)

The PHP bug was reported on Dec. 30 and fixed I think on Jan. 3, which is 5 days.

Yow! 5 days.

I wonder what happened between Dec 30 and Jan 3? Anything that might of distracted the developers?

Re:And how soon was the PHP bug fixed again ? (1)

UnknowingFool (672806) | more than 3 years ago | (#35149496)

Five days to look into a low level problem and verify it. It is my understanding that low-level issues like this could have a large impact. So more than one person would probably be involved in discussions of the problem and the fix. Then testing. All during the holiday season. All of it done by volunteers. I'd say that was good service.

So much for Open Source (0, Flamebait)

bogaboga (793279) | more than 3 years ago | (#35146556)

Sun/Oracle has known about the bug for something like 10 years.

Those who touted Open Source will not like this piece of news. But they will always find a scapegoat. So much for Open Source!

Re:So much for Open Source (1)

Beelzebud (1361137) | more than 3 years ago | (#35146594)

Yes because this will surely bring down the world of Open Source for good!

I've solved it! (0)

MarkRose (820682) | more than 3 years ago | (#35146620)

I've already found the solution to this. Just patch Java to avoid the Pentium FDIV bug! I mean, those Java people are still using Pentiums, right? They claim Java is fast, so it must be the CPUs! Why else would the bug be around for so long?

An infinite Java loop? Sounds interesting... (1)

ibsteve2u (1184603) | more than 3 years ago | (#35146638)

But I think I'll stick to running Folding@Home on all cores to burn in thermal paste. Seems more productive, you know?

Re:An infinite Java loop? Sounds interesting... (2)

PopeRatzo (965947) | more than 3 years ago | (#35146876)

But I think I'll stick to running Folding@Home on all cores to burn in thermal paste.

Let me clue you in to a little secret: That's not really thermal paste...

Re:An infinite Java loop? Sounds interesting... (1)

ibsteve2u (1184603) | more than 3 years ago | (#35147120)

Well, if it's not thermal gel, thermal compound, thermal paste, heat paste, heat sink paste, heat transfer compound, or heat sink compound, then I don't know what it is. Although if you spend enough time messing with it, I do know it makes a wonderful contraceptive - as G/Fs get tired of being ignored and move on.

Re:An infinite Java loop? Sounds interesting... (1)

antifoidulus (807088) | more than 3 years ago | (#35147712)

it's made of people?!

Don't you see? It's a feature! (1)

todd.gardner (1233364) | more than 3 years ago | (#35146686)

Write once, exploit anywhere!

Java, don't need it, don't want it! (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35146794)

I now uninstall Java from any systems I work on as a security precaution. The auto-update is a nice 'feature', but in most client's systems I work on, none of them have any compelling reason for an installation of Java.

Over two years and no fix for Java [h-online.com]

"Sami Koivu has released details of a security vulnerability in Java which he reported to Sun in 2008. A quick test using the current version 1.6.0_23 reveals that it remains unpatched "

Re:Java, don't need it, don't want it! (0)

FutureDomain (1073116) | more than 3 years ago | (#35147100)

I now uninstall Java from any systems I work on as a security precaution.

After cleaning up a virus that came via Java I do the same for people who's computers I work on. Most people really don't need it and it's hard to keep fully patched, not to mention all the zero-day vulnerabilities.

Shocked! Shocked! (4, Funny)

curmudgeon99 (1040054) | more than 3 years ago | (#35146816)

As a more than decade-long Java programmer, I must say that I am shocked! Shocked! that Sun would do something like that.
Why, I'd go so far as to predict that a company that behaved that way would find itself out of business.

Hey, wait a second...

Re:Shocked! Shocked! (-1)

Anonymous Coward | more than 3 years ago | (#35148084)

As a more than decade-long Java programmer, I must say that I am shocked! Shocked! that Sun would do something like that.

Why, I'd go so far as to predict that a company that behaved that way would find itself out of business.

Hey, wait a second...

LOL

So what if they've known about it for 10 years? (2, Interesting)

Tony Isaac (1301187) | more than 3 years ago | (#35146828)

Does Java software crash all the time because of this bug? No, of course not, that's one reason Java software is useful at all.

Like with any software, it is essential to prioritize bug fixes. You deal with the bugs that bite you, and save the rest for later.

This is a valid principle for anything made by people, not just software. Somebody might find out, for example, that if you subject a window to a specific frequency of sound, the window will shatter. So what! Don't do that! But...if burglars start going around with a device that emits this frequency, then it's time to come up with an antidote.

Java (like Mac OS) has enjoyed a relatively free ride, when it comes to malicious hackers. It's not that Java is somehow superior, it's just not been an attractive enough target. The fact that it is now being attacked is, in a way, a sign of its success.

Re:So what if they've known about it for 10 years? (0)

Anonymous Coward | more than 3 years ago | (#35146880)

It also sounds like the 10 year old bug didn't have a repro. It was only after someone found the magic number the caused it that it was able to be fixed.

Re:So what if they've known about it for 10 years? (2)

scdeimos (632778) | more than 3 years ago | (#35147074)

Somebody might find out, for example, that if you subject a window to a specific frequency of sound, the window will shatter. So what! Don't do that! But...if burglars start going around with a device that emits this frequency, then it's time to come up with an antidote.

Except that the resonant frequency of the windows in your example is dependant upon their volume and mounting frames - thus making it different from window to window. Being able to crash all sorts of Java programs by throwing a certain number at them is a little more repeatable.

Re:So what if they've known about it for 10 years? (2)

ADRA (37398) | more than 3 years ago | (#35147222)

Repeatable yes, but that also requires programs to have well known and easily deliverable raw floating point number insertion points. Some will have tons and others won't have any. It seems analogous to the window flaw after all.

Re:So what if they've known about it for 10 years? (1)

Anonymous Coward | more than 3 years ago | (#35147296)

What the fuck are you talking about, Java powers the majority of major internet sites. It has done so for a long, long time.

Re:So what if they've known about it for 10 years? (-1)

bendilts (1902562) | more than 3 years ago | (#35147446)

What the fuck are you talking about, Java powers the majority of major internet sites. It has done so for a long, long time.

Quick quiz: How many of the top 10 web sites in the world (as listed by Alexa) are powered primarily by Java?

1) Google
2) Facebook
3) Youtube
4) Yahoo
5) Windows Live
6) Blogger
7) Wikipedia
8) Baidu
9) Twitter
10) qq.com

Hint: It rhymes with "Nero"

Re:So what if they've known about it for 10 years? (0)

Anonymous Coward | more than 3 years ago | (#35147612)

Google, Youtube, Yahoo, Wikipedia, Twitter, Blogger

Uh oh, that's a majority you dolt.

Re:So what if they've known about it for 10 years? (1)

prionic6 (858109) | more than 3 years ago | (#35148052)

Not to be picky, but he was talking about the majority of _all_ major sites, not the top ten. Still probably not true, but it should be a significant percentage.

Also, while not primarily powered by it, Google and Facebook (and probably others on the list, don't know) use Java in some of their backend systems. According to a quick internet search.

Re:So what if they've known about it for 10 years? (0)

kaffiene (38781) | more than 3 years ago | (#35148422)

You dumb fuck, over half of those ARE Java powered... WTF happened to /. having posters who knew something about tech??

Now that you've proved the initial assertion you were trying to argue against (dickhead), answer the contrary question: how many PHP sites in that top 10?

Re:So what if they've known about it for 10 years? (2)

Compaqt (1758360) | more than 3 years ago | (#35149744)

Well, Facebook and Yahoo. Those are pretty big.

Yes, they're running other stuff, too, but PHP as well in a big way.

Not saying that Java's not important, but PHP is probably going to become more prevalent in large websites simply because garage tinkerers often start in PHP, the site becomes big, and they're still on PHP.

I'm also not saying anybody should run banking on PHP (please don't do that), but for serving up webpages? Yeah.

Re:So what if they've known about it for 10 years? (1)

RocketRabbit (830691) | more than 3 years ago | (#35147472)

Actually it's PHP that powers most internet sites, but thanks for playing.

Re:So what if they've known about it for 10 years? (0)

Anonymous Coward | more than 3 years ago | (#35147766)

Erm, php powers the most porn sites.
Java does all the important stuff

Re:So what if they've known about it for 10 years? (1)

kaffiene (38781) | more than 3 years ago | (#35148404)

Yeah, sure, all those banks, Google, Twitter... PHP through and through.

PHP powers a *lot* of small hack websites. If running forums is your idea of the important parts of the web, then sure, yeah PHP powers a tonne of that. Java powers things that are actually used on an industrial scale, require reliability and security.

Re:So what if they've known about it for 10 years? (1)

Anonymous Coward | more than 3 years ago | (#35147306)

you're joking, right? Fixing a infinite loop caused by normalization of certain values should have the highest priority, that's a broken math library in the planet's platform for doing enterprise math. The ten year old bug report not only gave the range of numbers but the follow up to it even included the fix. Too bad slashdot's lameness filter doesn't allow reproducing it here

Re:So what if they've known about it for 10 years? (1)

tomhudson (43916) | more than 3 years ago | (#35147400)

Actually, as one of the comments on the site pointed out:

I think this bug is less critical than PHPâ(TM)s bug, because Java Servlets are not used as much as PHP

"Java sucks less because people use it less". Sounds reasonable.

Re:So what if they've known about it for 10 years? (1)

kaffiene (38781) | more than 3 years ago | (#35148408)

It's also not true - all JSP sites render as Servlets, as I think most Java web technologies do.

Re:So what if they've known about it for 10 years? (1)

tomhudson (43916) | more than 3 years ago | (#35149618)

Which doesn't change the fact that PHP is more widely used on the web than Java. Pretty much every web hosting project offers a basic LAMP or WAMP stack. Java? Not so much.

The same goes for available software. Compare the number of open-source web frameworks and content management systems available for the two languages. Java is barely a blip. PHP is everywhere, and python and ruby are follow-ups.

Re:So what if they've known about it for 10 years? (1)

kaffiene (38781) | more than 3 years ago | (#35148370)

Are you shocked that people who have an axe to grind about Java are using this to criticise the language? Has slashdot *ever* given Java a fair go? I think not.

Re:So what if they've known about it for 10 years? (0)

Desler (1608317) | more than 3 years ago | (#35149920)

Awwww, is a Java weenie mad because all their supposed claims about the security of Java are lately being shown to be false?

Re:So what if they've known about it for 10 years? (1)

MemoryDragon (544441) | more than 3 years ago | (#35148654)

No it does not crash all the time, but given that i am a server framework programmer this issue is severe enough. It is not funny if a well placed http get parameter can shoot down your entire server. It of course depends on the backend code really trying to convert the number into float params. So far Tomcat has fixed this relatively quickly other frameworks as well ( you still can shoot down the server on framework level)
But the final fix has to come from Oracle.

Re:So what if they've known about it for 10 years? (1)

snookiex (1814614) | more than 3 years ago | (#35149412)

Priority is often calculated from two variables: impact and likelihood. I guess they weren't so wrong about the latter. In any case they screwed it badly.

Encountered this a couple years ago (3, Interesting)

prehistoricman5 (1539099) | more than 3 years ago | (#35147036)

I was working on a gas/billiard ball simulation a couple years ago and kept on running into a bug where the simulation would lock up in an infinite loop, and iirc, that magic number kept popping up. All along I thought it was some sort of bug in my code (it was a horrible hack job; it's almost unmaintainable).

Do NOT try this (3, Funny)

c0lo (1497653) | more than 3 years ago | (#35147048)

Try this:

DO... NOT... TRY... THIS...

Don't say I haven't warned you!!!!!

Re:Do NOT try this (-1)

Anonymous Coward | more than 3 years ago | (#35147212)

Neither work...
The program 'curl' is currently not installed. To run 'curl' please ask your administrator to install the package 'curl'

Re:Do NOT try this (0)

Anonymous Coward | more than 3 years ago | (#35147684)

Neither work...
The program 'curl' is currently not installed. To run 'curl' please ask your administrator to install the package 'curl'

I think you missed the part about not trying this...

Re:Do NOT try this (0)

Anonymous Coward | more than 3 years ago | (#35147724)

Windows cannot find 'curl''. Make sure you have typed the name correctly, and then try again.

:(

Re:Do NOT try this (1)

snookiex (1814614) | more than 3 years ago | (#35149476)

+1 Funny. But apparently you can install it [curl.haxx.se]

Re:Do NOT try this (1)

dougmc (70836) | more than 3 years ago | (#35149260)

Isn't slashcode written in perl rather than java?

Oh ... I see what you did there!

Fixed available (5, Informative)

Wookie Monster (605020) | more than 3 years ago | (#35147302)

Oracle has posted a fix for the bug, in the form of a patch. Official releases will be available next week. http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html [oracle.com] http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html [oracle.com]

Mod parent up, please (0)

Anonymous Coward | more than 3 years ago | (#35148036)

Mod parent up, please

Re:Fixed available (1)

Carewolf (581105) | more than 3 years ago | (#35148242)

A fix in form of a patch has been posted on the 10 year bug report of the same bug. Didn't seem to like that helped a fix find its way into Java.

Cool! (0)

Anonymous Coward | more than 3 years ago | (#35147428)

From now on, I'm totally inputting 2.2250738585072011e-308 on every text field that asks for a number.

Re:Cool! (2, Funny)

Anonymous Coward | more than 3 years ago | (#35148050)

Thats the combination to my luggage!

Re:Cool! (1)

MemoryDragon (544441) | more than 3 years ago | (#35148688)

Wont help :-) it only triggers if the text field parses for a floating LONG number!
Most textfields either go for Int or Float as their targets.

Fails to Work on Android (1)

virtigex (323685) | more than 3 years ago | (#35147706)

The code works fine on Android. Guess that they are not running a true JVM.

Re:Fails to Work on Android (0)

Anonymous Coward | more than 3 years ago | (#35148388)

Android uses DVM, not JVM.

Re:Fails to Work on Android (1)

MemoryDragon (544441) | more than 3 years ago | (#35148680)

Guess they simply used the Harmony Code for this stuff and Harmony does not have the bug in.

Re:Fails to Work on Android (2)

atomice (228931) | more than 3 years ago | (#35149574)

Guess they simply used the Harmony Code for this stuff and Harmony does not have the bug in.

It was fixed in Harmony a year and a half ago:

https://issues.apache.org/jira/browse/HARMONY-329 [apache.org]

Re:Fails to Work on Android (1)

TheThiefMaster (992038) | more than 3 years ago | (#35148768)

If it's the same problem PHP had, then it requires an x86 FPU.

Re:Fails to Work on Android (1)

cnettel (836611) | more than 3 years ago | (#35149168)

The bug is in Java code, not underlying JVM code. Java goes to great lengths to maintain IEEE compliance, which means that it truncates to 64-bit precision everywhere.

Re:Fails to Work on Android (0)

Anonymous Coward | more than 3 years ago | (#35149696)

Doesn't it only do that with strictfp?

It is not the JVM .... (5, Insightful)

Chrisq (894406) | more than 3 years ago | (#35148204)

The article makes it clear that the problem is in FloatingDecimal.java [docjar.com] . It is converting decimal strings to floating point numbers - fp arithmetic is fine!

Re:It is not the JVM .... (0)

Anonymous Coward | more than 3 years ago | (#35148716)

yeah, but on a note, the programming example only "printing" an instantiated double hanging compiler or the vm depending where the data comes from is still dangerous, since its a non-transparent bug (you dont include FloatingDecimal.java explicitly).
and as programmer converting my double by a print/log function is still part of the fp arithmetic in a certain way or at least very close to it.

so the bug is in the language implementation.

Re:It is not the JVM .... (0)

Anonymous Coward | more than 3 years ago | (#35148986)

The article makes it clear that the problem is in FloatingDecimal.java [docjar.com] . It is converting decimal strings to floating point numbers - fp arithmetic is fine!

And the other part of the summary that is just plain stupid:

"but application code will still be vulnerable to user input."

No. Unconstrained user input will be. If you're not already checking the user input before passing it along, you're a fucking idiot and this bug is the LEAST of your worries. Seriously.
I'm not defending them on this, but this is a fairly minor bug and it's been known for a decade so anybody calling themselves a serious Java programmer already codes around the problem by simply NOT passing those types of strings to the bugged functions. If you're a GOOD Java programmer, you've already overloaded the function and implemented your own bug-free code.

Re:It is not the JVM .... (1)

Chrisq (894406) | more than 3 years ago | (#35149386)

No. Unconstrained user input will be. If you're not already checking the user input before passing it along, you're a fucking idiot and this bug is the LEAST of your worries.

There are a few niche cases, like calculators and spreadsheets, where the constrained input could validly include the input. The assertion in comments to the article that quality values in HTTP headers cause this problem do not come into this category, as the standard [w3.org] says that only three digits after the decimal should be sent.

Re:It is not the JVM .... (3, Informative)

CynicTheHedgehog (261139) | more than 3 years ago | (#35149700)

I haven't used floats or doubles in a long time. From a business perspective (think monetary values) it almost always makes more sense to use BigDecimal and apply rounding rules, particularly if those values are stored in a database where scale and precision are known or required. I would imagine the same would be true for scientific values, GIS coordinates, etc. (anything with a known precision). The only use for float/double that comes to mind is something where absolute precision isn't critical and speed is important, such as graphics/physics calculations for games, in which case you generally wouldn't be parsing user-entered values anyway.

Also, the default/packaged JSF numeric input converters produce either Long or BigDecimal values (per spec) depending on whether a decimal is present, so this should only affect a very small subset of use cases that are easily patched or avoided (old JSP/servlet code, Struts, etc.)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?