From dacb66ac72058af214366b34874533889b5ab32e Mon Sep 17 00:00:00 2001 From: dyb Date: Fri, 9 Jun 2017 21:21:08 -0400 Subject: [PATCH] fixed a bug in flonum-extractor, which on 64-bit machines was using an 8-byte read instead of a 4-byte read to pick up the 4 highest-order bytes of a little-endian flonum, potentially reading past the end of mapped memory for flonums produced by taking the imaginary part of an inexact complexnum (which, unlike other flonums, are not aligned on 16-byte boundaries). The 8-byte load would also have failed to produce correct results on 64-bit big-endian machines (of which we presently have none) because the offsets passed to flonum-extractor assume the bits are in the lowest-order 4 bytes of the extracted field. cp0.ss, misc.ms, release_notes.stex original commit: 97bd75bcedbcf32b77c59615a638ea1528ebe26b --- LOG | 18 ++++++++++++++++-- mats/misc.ms | 6 ++++++ release_notes/release_notes.stex | 23 ++++++++++++++--------- s/cpnanopass.ss | 7 ++++--- 4 files changed, 40 insertions(+), 14 deletions(-) diff --git a/LOG b/LOG index 0977ded28c..f8a9f1809e 100644 --- a/LOG +++ b/LOG @@ -495,5 +495,19 @@ 4.ms - added date-dst? to access the previously-hidden DST information in date records, and added date-zone-name to provide a time zone name. - date.ss, primdata.ss, stats.c, date.ms, root-experr*, - patch-compile*, system.stex + date.ss, primdata.ss, + stats.c, + date.ms, root-experr*, patch-compile*, + system.stex +- fixed a bug in flonum-extractor, which on 64-bit machines was using an + 8-byte read instead of a 4-byte read to pick up the 4 highest-order + bytes of a little-endian flonum, potentially reading past the end of + mapped memory for flonums produced by taking the imaginary part of an + inexact complexnum (which, unlike other flonums, are not aligned on + 16-byte boundaries). The 8-byte load would also have failed to produce + correct results on 64-bit big-endian machines (of which we presently + have none) because the offsets passed to flonum-extractor assume the + bits are in the lowest-order 4 bytes of the extracted field. + cp0.ss, + misc.ms, + release_notes.stex diff --git a/mats/misc.ms b/mats/misc.ms index 8750b7142e..893424dbfd 100644 --- a/mats/misc.ms +++ b/mats/misc.ms @@ -604,6 +604,12 @@ 17)))]) (cons v ls))) '(3 17 17)) + ; regression test for bug in which $flonum-exponent read past mapped memory + (eq? + (do ([n 2000 (- n 1)] [ls (iota 2000)]) + ((= n 0) 'fini) + (map (lambda (x) (let ([x (exact (sqrt -2.0))]) x)) ls)) + 'fini) ) (mat compiler3 diff --git a/release_notes/release_notes.stex b/release_notes/release_notes.stex index e33446858f..d2a50b6fd9 100644 --- a/release_notes/release_notes.stex +++ b/release_notes/release_notes.stex @@ -1498,20 +1498,25 @@ in fasl files does not generally make sense. %----------------------------------------------------------------------------- \section{Bug Fixes}\label{section:bugfixes} -\subsection{Overflow detection for \protect\scheme{fxsll}, -\protect\scheme{fxarithmetic-shift-left}, and -\protect\scheme{fxarithmetic-shift}} +\subsection{Invalid memory references involving complex numbers (9.4.1)} + +A bug on 64-bit platforms that occasionally caused invalid memory +references when operating on inexact complex numbers or the imaginary parts +of inexact complex numbers has been fixed. +[This bug dated back to Version 8.9.1.] + +\subsection{Overflow detection for left-shift operations on fixnums (9.4.1)} A bug that caused \scheme{fxsll}, \scheme{fxarithmetic-shift-left}, and \scheme{fxarithmetic-shift} to fail to detect overflow in certain -cases was fixed. -[This bug dated back to Version 7.1 or earlier.] +cases has been fixed. +[This bug dated back to Version 4.0.] -\subsection{Invalid memory reference when \protect\scheme{enum-set-indexer} procedure is not passed a symbol} +\subsection{Missing \protect\scheme{enum-set-indexer} argument check (9.4.1)} -A bug that caused the procedure returned by \scheme{enum-set-indexer} -to perform an invalid memory reference when passed an argument that is -not a symbol has been fixed. +A missing argument check that resulted in the procedure returned by \scheme{enum-set-indexer} +causing an invalid memory reference when passed a non-symbol argument has been fixed. +[This bug dated back to Version 7.5.] \subsection{Storage for inaccessible mutexes and conditions is reclaimed (9.4.1)} diff --git a/s/cpnanopass.ss b/s/cpnanopass.ss index 964405612f..512533a979 100644 --- a/s/cpnanopass.ss +++ b/s/cpnanopass.ss @@ -6313,9 +6313,10 @@ (let ([cnt (- pos (constant fixnum-offset))] [mask (* (- (expt 2 size) 1) (expt 2 (constant fixnum-offset)))]) (%inline logand - ,(let ([body (%mref ,e1 ,(constant-case native-endianness - [(little) (fx+ (constant flonum-data-disp) 4)] - [(big) (constant flonum-data-disp)]))]) + ,(let ([body `(inline ,(make-info-load 'integer-32 #f) ,%load ,e1 ,%zero + (immediate ,(constant-case native-endianness + [(little) (fx+ (constant flonum-data-disp) 4)] + [(big) (constant flonum-data-disp)])))]) (let ([body (if (fx> cnt 0) (%inline srl ,body (immediate ,cnt)) body)])