On Wed, Jul 3, 2024, at 15:48, Joel Jacobson wrote:
> On Wed, Jul 3, 2024, at 13:17, Dean Rasheed wrote:
>> On Tue, 2 Jul 2024 at 21:10, Joel Jacobson <j...@compiler.org> wrote:
>>>
>>> I found the bug in the case 3 code,
>>> and it turns out the same type of bug also exists in the case 2 code:
>>>
>>>                         case 2:
>>>                                 newdig = (int) var1digits[1] * 
>>> var2digits[res_ndigits - 4];
>>>
>>> The problem here is that res_ndigits could become less than 4,
>>
>> Yes. It can't be less than 3 though (per an earlier test), so the case
>> 2 code was correct.
>
> Hmm, I don't see how the case 2 code can be correct?
> If, like you say, res_ndigits can't be less than 3, that means it can 
> be 3, right?
> And if res_ndigits=3 then `var2digits[res_ndigits - 4]` would try to 
> access `var2digits[-1]`.

Here is an example on how to trigger the bug:

```
                        case 2:
                                if (res_ndigits - 4 < 0)
                                {
                                        
printf("var1=%s\n",get_str_from_var(var1));
                                        
printf("var2=%s\n",get_str_from_var(var2));
                                        printf("rscale=%d\n", rscale);
                                        printf("res_ndigits - 4 < 0 => 
var2digits[%d]=%d\n", res_ndigits - 4, var2digits[res_ndigits - 4]);
                                }
```

Running through my tests, I hit lots of cases, including:

var1=0.10968501
var2=0.903728177113
rscale=0
res_ndigits - 4 < 0 => var2digits[-1]=-31105

All of the spotted cases had rscale=0.

If we know that mul_var() will never be called with rscale=0 when dealing with 
decimal inputs, perhaps we should enforce this with an Assert(), to prevent the 
otherwise possible out-of-bounds access (negative indexing) and provide early 
detection?

Regards,
Joel


Reply via email to