Rick Regan, Exploring Binary, real.c Rounding is Perfect (GCC Now Converts Correctly), here. Internet, yessss.
GCC, the GNU Compiler Collection, recently fixed this eight and a half year old bug: “GCC Bugzilla – Bug 21718: real.c rounding not perfect.” This bug was the cause of incorrect decimal string to binary floating-point conversions. I first wrote about it over three years ago, and then recently in September and October. I also just wrote a detailed description of GCC’s conversion algorithm last month.
This fix, which will be available in version 4.9, scraps the old algorithm and replaces it with a call to MPFR function mpfr_strtofr(). I tested the fix on version 4.8.1, replacing its copy of gcc/real.c with the fixed one. I found no incorrect conversions.
Java Hangs When Converting 2.2250738585072012e-308, here. And Kahan said/wrote, darkly, that no one was keeping track of errors. This article has 130 comments!
Konstantin Preißer made an interesting discovery, after reading my article “PHP Hangs On Numeric Value 2.2250738585072011e-308”: Java — both its runtime and compiler — go into an infinite loop when converting the decimal number 2.2250738585072012e-308 to double-precision binary floating-point. This number is supposed to convert to 0x1p-1022, which is DBL_MIN; instead, Java gets stuck, oscillating between 0x1p-1022 and 0x0.fffffffffffffp-1022, the largest subnormal double-precision floating-point number.
Damien LePage, Programming and more…, The ugly bug, here.
Can you think of any public interface (most likely a web page) taking a double as input? An amount of money maybe, that’s probably the most common example. Tempted to try our evil number here? You get it! It shouldn’t be long before a hacker post this number to every single field of your web site. The more popular you are, the fastest it will be.
Dan Goodin, The Register, Oracle patches decade-old ‘Mark-of-the-Beast’ bug in Java, here.
Oracle has squashed a decade-old bug in its Java programming framework that allows attackers to bring down sensitive servers by feeding them numerical values with large numbers of decimal places.
The vulnerability in the latest version of Java was disclosed last month and reported by The Reg on Monday. The bug, which stems from the difficulty of representing some floating-point numbers in the binary format, made it possible to carry out denial-of-service attacks when Java applications process the value 2.2250738585072012e-308.
On Tuesday, Oracle patched the Mark-of-the-Beast bug in its Java Runtime Environment. “Java based application and web servers are especially at risk from this vulnerability,” an advisory issued by the company warned.
According to numerous online forums, including this one for Java developers, the bug was first reported in 2001 to Sun Microsystems, which was at the time the official steward of the Java environment. For some reason, the link to the original report was removed last week with no explanation.
The vulnerability was reported again in 2009, but remained unfixed until now. ®