Array-bounds overflow errors in fdlibm #14

joransiu · 2015-11-25T02:56:57Z

From @maximmai comment in Issue #13 :

I am able to reproduce the 'overflow-warning' with version 4.8, using the system's default GCC 4.8.3:

  CXX(target) /sandbox/maximmai/v8/v8z/4.5/v8/out/s390x.release/obj.target/v8_base/src/third_party/fdlibm/fdlibm.o
../src/third_party/fdlibm/fdlibm.cc: In function ‘int v8::fdlibm::rempio2(double, double*)’:
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
cc1plus: all warnings being treated as errors
make[1]: *** [/sandbox/maximmai/v8/v8z/4.5/v8/out/s390x.release/obj.target/v8_base/src/third_party/fdlibm/fdlibm.o] Error 1
make[1]: Leaving directory `/sandbox/maximmai/v8/v8z/4.5/v8/out'
make: *** [s390x.release] Error 2
lozlnx03.canlab.ibm.com:/sandbox/maximmai/v8/v8z/4.5/v8 $> 
x + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
cc1plus: all warnings being treated as errors
make[1]: *** [/sandbox/maximmai/v8/v8z/4.5/v8/out/s390x.release/obj.target/v8_base/src/third_party/fdlibm/fdlibm.o] Error 1
make[1]: Leaving directory `/sandbox/maximmai/v8/v8z/4.5/v8/out'
make: *** [s390x.release] Error 2
lozlnx03.canlab.ibm.com:/sandbox/maximmai/v8/v8z/4.5/v8 $> 
[ 0 cloudant local  1 TOP minitor  3 cloudant data pusher  4 
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
../src/third_party/fdlibm/fdlibm.cc:210:17: error: array subscript is above array bounds [-Werror=array-bounds]
         f[jx + i] = static_cast<double>(two_over_pi[jv + i]);
                 ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
         for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i - j];
                                                                      ^
../src/third_party/fdlibm/fdlibm.cc:211:70: error: array subscript is above array bounds [-Werror=array-bounds]
../src/third_party/fdlibm/fdlibm.cc:212:12: error: array subscript is above array bounds [-Werror=array-bounds]
         q[i] = fw;
            ^
cc1plus: all warnings being treated as errors
make[1]: *** [/sandbox/maximmai/v8/v8z/4.5/v8/out/s390x.release/obj.target/v8_base/src/third_party/fdlibm/fdlibm.o] Error 1
make[1]: Leaving directory `/sandbox/maximmai/v8/v8z/4.5/v8/out'
make: *** [s390x.release] Error 2

The text was updated successfully, but these errors were encountered:

…ttps://codereview.chromium.org/1474543004/ ) Reason for revert: Broke the build, apparently. Original issue's description: > Implement FastAccessorBuilder. > > ... using the RawMachineAssembler and the work in cl/1407313004 > > BUG=chromium:508898 > LOG=Y > > Committed: https://crrev.com/515d9ccd8e6df7bf2ca01e2a55aaad30226399e1 > Cr-Commit-Position: refs/heads/master@{#32742} TBR=epertoso@chromium.org,bmeurer@chromium.org,jochen@chromium.org,mstarzinger@chromium.org,mvstanton@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:508898 Review URL: https://codereview.chromium.org/1513203002 Cr-Commit-Position: refs/heads/master@{#32744}

…bound functions. (patchset #14 id:260001 of https://codereview.chromium.org/1542963002/ ) Reason for revert: Breaks arm64 sim nosnap: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/805/steps/Check/logs/function-bind Original issue's description: > [runtime] Introduce dedicated JSBoundFunction to represent bound functions. > > According to the ES2015 specification, bound functions are exotic > objects, and thus don't need to be implemented as JSFunctions. So > we introduce a new JSBoundFunction type to represent bound functions > and make them optimizable. This already improves the performance of > calling or constructing bound functions by 10-100x depending on the > use case because we avoid the crazy dance between JavaScript and C++ > that was implemented in v8natives.js previously. > > There's still room for improvement in the performance of actually > creating bound functions, which is also relevant in practice, but > we already have a plan how to accomplish that later. > > The mips/mips64 ports were contributed by akos.palfi@imgtec.com. > > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel > BUG=chromium:535408, chromium:571299, v8:4629 > LOG=n > > Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2 > Cr-Commit-Position: refs/heads/master@{#33042} TBR=cbruni@chromium.org,hpayer@chromium.org,yangguo@chromium.org,akos.palfi@imgtec.com NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:535408, chromium:571299, v8:4629 Review URL: https://codereview.chromium.org/1552473002 Cr-Commit-Position: refs/heads/master@{#33043}

…250001 of https://codereview.chromium.org/1703823002/ ) Reason for revert: Revert because of canary crashes: crbug.com/589413 Original issue's description: > Replace slots buffer with remembered set. > > Slots pointing to evacuation candidates are now recorded in the new RememberedSet<OLD_TO_OLD>. > > The remembered set is extended to support typed slots. > > During parallel evacuation all migration slots are recorded in local slots buffers. > After evacuation all local slots are added to the remembered set. > > BUG=chromium:578883 > LOG=NO > > Committed: https://crrev.com/2285a99ef6f7d52f4f0c4d88a7db4224443ee152 > Cr-Commit-Position: refs/heads/master@{#34212} TBR=jochen@chromium.org,hpayer@chromium.org,mlippautz@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:578883 Review URL: https://codereview.chromium.org/1725073003 Cr-Commit-Position: refs/heads/master@{#34238}

…0001 of https://codereview.chromium.org/1703823002/ )" This reverts commit 9146bc5. This contains a fix for the following crash: 1. We record slots for a fixed array. 2. We trim the fixed array, so that some recorded slots are now in free space. 3. During mark-compact we sweep the page with the fixed array. Now free list items contain memory with recorded slots. 4. We evacuate a byte array using the new free list items. 5. We iterate slots that are now inside the byte array and crash. BUG=chromium:589413,chromium:578883 LOG=NO Review URL: https://codereview.chromium.org/1735523002 Cr-Commit-Position: refs/heads/master@{#34302}

…or (patchset #14 id:260001 of https://codereview.chromium.org/1707743002/ ) Reason for revert: gcmole failure https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/8598 Original issue's description: > [key-accumulator] Starting to reimplement the key-accumulator > > Introducing the KeyAccumulator accidentally removed some crucial fast-paths. > This CL starts rewriting the KeyAccumulator, step-by-step introducing the > special cases again. > > BUG=chromium:545503, v8:4758 > LOG=y > > Committed: https://crrev.com/9c61327ecb2ee41f34232632e0cac93202bae6b7 > Cr-Commit-Position: refs/heads/master@{#34532} TBR=verwaest@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:545503, v8:4758 Review URL: https://codereview.chromium.org/1773593003 Cr-Commit-Position: refs/heads/master@{#34537}

Merged 9146bc5 Revert of Replace slots buffer with remembered set. (patchset #14 id:250001 of https://codereview.chromium.org/1703823002/ ) BUG=chromium:578883 LOG=N TBR=ulan@chromium.org Review URL: https://codereview.chromium.org/1739003003 . Cr-Commit-Position: refs/branch-heads/5.0@{#3} Cr-Branched-From: ad16e6c-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50-refs/heads/master@{#34215}

…//codereview.chromium.org/1777503002/ ) Reason for revert: This makes "mjsunit/undetectable-compare" fail, some previous drive-by-fix might be missing from the branch that allows us to make the switch away from the CompareIC. This is no longer a quick-fix that can be merged back and we are essentially flying blind on the branch. I am no longer confident that the quick-fix can be merged back. Reverting. Original issue's description: > Version 5.0.71.10 (cherry-pick) > > Merged 55b4df7 > Merged d00da47 > Merged 4da2e3d > Merged c1507e1 > > [runtime] Unify comparison operator runtime entries. > > [turbofan] Don't use the CompareIC in JSGenericLowering. > > PPC: [runtime] Unify comparison operator runtime entries. > > PPC: [turbofan] Don't use the CompareIC in JSGenericLowering. > > R=hablich@chromium.org > BUG=chromium:590832,v8:4788 > LOG=N > > Committed: https://chromium.googlesource.com/v8/v8/+/0843a173996f5f63eca749d6fe8c20d4813537d9 TBR=hablich@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:590832,v8:4788 Review URL: https://codereview.chromium.org/1775883003 Cr-Commit-Position: refs/branch-heads/5.0@{#14} Cr-Branched-From: ad16e6c-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50-refs/heads/master@{#34215}

…y references. (patchset ibmruntimes#14 id:300001 of https://codereview.chromium.org/1759383003/ ) Reason for revert: Test failures: https://build.chromium.org/p/client.v8/builders/V8%20Mac64/builds/8046 Original issue's description: > [compiler] Add relocatable pointer constants for wasm memory references. > > Add relocatable pointers for wasm memory references that need to be updated when wasm GrowMemory is used. Code generator changes to accept relocatable constants as immediates. > > R=titzer@chromium.org, yangguo@chromium.org, bradnelson@chromium.org > > Committed: https://crrev.com/eb5fe0df64ec0add423b2a1f6fb62d5a33dce2a5 > Cr-Commit-Position: refs/heads/master@{#35182} TBR=bradnelson@chromium.org,titzer@chromium.org,gdeepti@google.com # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review URL: https://codereview.chromium.org/1846083005 Cr-Commit-Position: refs/heads/master@{#35185}

Merged 9acbca1 [es6] Fix bug in pattern re-writing BUG=v8:4891 LOG=N R=littledan@chromium.org Review URL: https://codereview.chromium.org/1903153004 . Cr-Commit-Position: refs/branch-heads/5.1@{#14} Cr-Branched-From: 167dc63-refs/heads/5.1.281@{#1} Cr-Branched-From: 03953f5-refs/heads/master@{#35282}

TBR=machenbach@chromium.org Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: Ic57b5e89499d59d608535dab7b1c44be2e3a90b0 Reviewed-on: https://chromium-review.googlesource.com/661079 Reviewed-by: v8 autoroll <v8-autoroll@chromium.org> Cr-Commit-Position: refs/branch-heads/6.2@{#14} Cr-Branched-From: efa2ac4-refs/heads/6.2.414@{#1} Cr-Branched-From: a861ebb-refs/heads/master@{#47693}

joransiu mentioned this issue Nov 25, 2015

Build errors under gcc 5.0 #13

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Array-bounds overflow errors in fdlibm #14

Array-bounds overflow errors in fdlibm #14

joransiu commented Nov 25, 2015

Array-bounds overflow errors in fdlibm #14

Array-bounds overflow errors in fdlibm #14

Comments

joransiu commented Nov 25, 2015