From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: hreitz@redhat.com
Subject: [PATCH 11/11] cutils: Improve qemu_strtosz handling of fractions
Date: Mon, 8 May 2023 15:03:43 -0500 [thread overview]
Message-ID: <20230508200343.791450-12-eblake@redhat.com> (raw)
In-Reply-To: <20230508200343.791450-1-eblake@redhat.com>
We have several limitations and bugs worth fixing; they are
inter-related enough that it is not worth splitting this patch into
smaller pieces:
* ".5k" should work to specify 512, just as "0.5k" does
* "1.9999k" and "1." + "9"*50 + "k" should both produce the same
result of 2048 after rounding
* "1." + "0"*350 + "1B" should not be treated the same as "1.0B";
underflow in the fraction should not be lost
* "7.99e99" and "7.99e999" look similar, but our code was doing a
read-out-of-bounds on the latter because it was not expecting ERANGE
due to overflow. While we document that scientific notation is not
supported, and the previous patch actually fixed
qemu_strtod_finite() to no longer return ERANGE overflows, it is
easier to pre-filter than to try and determine after the fact if
strtod() consumed more than we wanted. Note that this is a
low-level semantic change (when endptr is not NULL, we can now
successfully parse with a scale of 'E' and then report trailing
junk, instead of failing outright with EINVAL); but an earlier
commit already argued that this is not a high-level semantic change
since the only caller passing in a non-NULL endptr also checks that
the tail is whitespace-only.
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1629
Signed-off-by: Eric Blake <eblake@redhat.com>
---
tests/unit/test-cutils.c | 51 +++++++++++------------
util/cutils.c | 89 ++++++++++++++++++++++++++++------------
2 files changed, 88 insertions(+), 52 deletions(-)
diff --git a/tests/unit/test-cutils.c b/tests/unit/test-cutils.c
index f781997aef7..1fb9d5323ab 100644
--- a/tests/unit/test-cutils.c
+++ b/tests/unit/test-cutils.c
@@ -2693,14 +2693,14 @@ static void test_qemu_strtosz_float(void)
g_assert_cmpuint(res, ==, 1024);
g_assert_true(endptr == str + 4);
- /* FIXME An empty fraction head should be tolerated */
+ /* An empty fraction head is tolerated */
str = " .5k";
endptr = str;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
- g_assert_cmpint(err, ==, -EINVAL /* FIXME 0 */);
- g_assert_cmpuint(res, ==, 0 /* FIXME 512 */);
- g_assert_true(endptr == str /* FIXME + 4 */);
+ g_assert_cmpint(err, ==, 0);
+ g_assert_cmpuint(res, ==, 512);
+ g_assert_true(endptr == str + 4);
/* For convenience, we permit values that are not byte-exact */
str = "12.345M";
@@ -2711,16 +2711,16 @@ static void test_qemu_strtosz_float(void)
g_assert_cmpuint(res, ==, (uint64_t) (12.345 * MiB + 0.5));
g_assert_true(endptr == str + 7);
- /* FIXME Fraction tail should round correctly */
+ /* Fraction tail can round up */
str = "1.9999999999999999999999999999999999999999999999999999k";
endptr = str;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
g_assert_cmpint(err, ==, 0);
- g_assert_cmpint(res, ==, 1024 /* FIXME 2048 */);
+ g_assert_cmpuint(res, ==, 2048);
g_assert_true(endptr == str + 55);
- /* FIXME ERANGE underflow in the fraction tail should not matter for 'k' */
+ /* ERANGE underflow in the fraction tail does not matter for 'k' */
str = "1."
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
@@ -2734,7 +2734,7 @@ static void test_qemu_strtosz_float(void)
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
g_assert_cmpint(err, ==, 0);
- g_assert_cmpuint(res, ==, 1 /* FIXME 1024 */);
+ g_assert_cmpuint(res, ==, 1024);
g_assert_true(endptr == str + 354);
}
@@ -2826,16 +2826,16 @@ static void test_qemu_strtosz_invalid(void)
g_assert_cmpuint(res, ==, 0);
g_assert_true(endptr == str);
- /* FIXME Fraction tail can cause ERANGE overflow */
+ /* Fraction tail can cause ERANGE overflow */
str = "15.9999999999999999999999999999999999999999999999999999E";
endptr = str;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
- g_assert_cmpint(err, ==, 0 /* FIXME -ERANGE */);
- g_assert_cmpuint(res, ==, 15ULL * EiB /* FIXME 0 */);
- g_assert_true(endptr == str + 56 /* FIXME str */);
+ g_assert_cmpint(err, ==, -ERANGE);
+ g_assert_cmpuint(res, ==, 0);
+ g_assert_true(endptr == str + 56);
- /* FIXME ERANGE underflow in the fraction tail should matter for 'B' */
+ /* ERANGE underflow in the fraction tail matters for 'B' */
str = "1."
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
@@ -2848,9 +2848,9 @@ static void test_qemu_strtosz_invalid(void)
endptr = str;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
- g_assert_cmpint(err, ==, 0 /* FIXME -EINVAL */);
- g_assert_cmpuint(res, ==, 1 /* FIXME 0 */);
- g_assert_true(endptr == str + 354 /* FIXME str */);
+ g_assert_cmpint(err, ==, -EINVAL);
+ g_assert_cmpuint(res, ==, 0);
+ g_assert_true(endptr == str);
/* No hex fractions */
str = "0x1.8k";
@@ -3045,14 +3045,14 @@ static void test_qemu_strtosz_trailing(void)
g_assert_cmpint(err, ==, -EINVAL);
g_assert_cmpuint(res, ==, 0);
- /* FIXME should stop parse after 'e'. No floating point exponents */
+ /* Parse stops at 'e', which is not a floating point exponent */
str = "1.5e1k";
endptr = NULL;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
- g_assert_cmpint(err, ==, -EINVAL /* FIXME 0 */);
- g_assert_cmpuint(res, ==, 0 /* FIXME EiB * 1.5 */);
- g_assert_true(endptr == str /* FIXME + 4 */);
+ g_assert_cmpint(err, ==, 0);
+ g_assert_cmpuint(res, ==, EiB * 1.5);
+ g_assert_true(endptr == str + 4);
res = 0xbaadf00d;
err = qemu_strtosz(str, NULL, &res);
@@ -3063,23 +3063,22 @@ static void test_qemu_strtosz_trailing(void)
endptr = NULL;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
- g_assert_cmpint(err, ==, -EINVAL /* FIXME 0 */);
- g_assert_cmpuint(res, ==, 0 /* FIXME EiB * 1.5 */);
- g_assert_true(endptr == str /* FIXME + 4 */);
+ g_assert_cmpint(err, ==, 0);
+ g_assert_cmpuint(res, ==, EiB * 1.5);
+ g_assert_true(endptr == str + 4);
res = 0xbaadf00d;
err = qemu_strtosz(str, NULL, &res);
g_assert_cmpint(err, ==, -EINVAL);
g_assert_cmpuint(res, ==, 0);
- /* FIXME overflow in fraction is buggy */
str = "1.5E999";
endptr = NULL;
res = 0xbaadf00d;
err = qemu_strtosz(str, &endptr, &res);
g_assert_cmpint(err, ==, 0);
- g_assert_cmpuint(res, ==, 1 /* FIXME EiB * 1.5 */);
- g_assert(endptr == str + 2 /* FIXME + 4 */);
+ g_assert_cmpuint(res, ==, EiB * 1.5);
+ g_assert_true(endptr == str + 4);
res = 0xbaadf00d;
err = qemu_strtosz(str, NULL, &res);
diff --git a/util/cutils.c b/util/cutils.c
index 0e056a27a44..d1dfbc69d16 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -194,14 +194,17 @@ static int64_t suffix_mul(char suffix, int64_t unit)
* - 12345 - decimal, scale determined by @default_suffix and @unit
* - 12345{bBkKmMgGtTpPeE} - decimal, scale determined by suffix and @unit
* - 12345.678{kKmMgGtTpPeE} - decimal, scale determined by suffix, and
- * fractional portion is truncated to byte
+ * fractional portion is truncated to byte, either side of . may be empty
* - 0x7fEE - hexadecimal, unit determined by @default_suffix
*
* The following are intentionally not supported
- * - hex with scaling suffix, such as 0x20M
- * - octal, such as 08
- * - fractional hex, such as 0x1.8
- * - floating point exponents, such as 1e3
+ * - hex with scaling suffix, such as 0x20M (0x1b is 27, not 1)
+ * - octal, such as 08 (parsed as decimal instead)
+ * - binary, such as 0b1000 (parsed as 0b with trailing garbage "1000")
+ * - fractional hex, such as 0x1.8 (parsed as 0 with trailing garbage "x1.8")
+ * - floating point exponents, such as 1e3 (parsed as 1e with trailing
+ * garbage "3") or 0x1p3 (parsed as 1 with trailing garbage "p3")
+ * - non-finite values, such as inf or NaN
*
* The end pointer will be returned in *end, if not NULL. If there is
* no fraction, the input can be decimal or hexadecimal; if there is a
@@ -220,22 +223,17 @@ static int do_strtosz(const char *nptr, const char **end,
uint64_t *result)
{
int retval;
- const char *endptr, *f;
+ const char *endptr;
unsigned char c;
- uint64_t val, valf = 0;
+ uint64_t val = 0, valf = 0;
int64_t mul;
/* Parse integral portion as decimal. */
retval = qemu_strtou64(nptr, &endptr, 10, &val);
- if (retval) {
+ if (retval == -ERANGE || !nptr) {
goto out;
}
- if (memchr(nptr, '-', endptr - nptr) != NULL) {
- endptr = nptr;
- retval = -EINVAL;
- goto out;
- }
- if (val == 0 && (*endptr == 'x' || *endptr == 'X')) {
+ if (retval == 0 && val == 0 && (*endptr == 'x' || *endptr == 'X')) {
/* Input looks like hex; reparse, and insist on no fraction or suffix. */
retval = qemu_strtou64(nptr, &endptr, 16, &val);
if (retval) {
@@ -246,27 +244,66 @@ static int do_strtosz(const char *nptr, const char **end,
retval = -EINVAL;
goto out;
}
- } else if (*endptr == '.') {
+ } else if (*endptr == '.' || (endptr == nptr && strchr(nptr, '.'))) {
/*
* Input looks like a fraction. Make sure even 1.k works
- * without fractional digits. If we see an exponent, treat
- * the entire input as invalid instead.
+ * without fractional digits. strtod tries to treat 'e' as an
+ * exponent, but we want to treat it as a scaling suffix;
+ * doing this requires modifying a copy of the fraction.
*/
- double fraction;
+ double fraction = 0.0;
- f = endptr;
- retval = qemu_strtod_finite(f, &endptr, &fraction);
- if (retval) {
+ if (retval == 0 && *endptr == '.' && !isdigit(endptr[1])) {
+ /* If we got here, we parsed at least one digit already. */
endptr++;
- } else if (memchr(f, 'e', endptr - f) || memchr(f, 'E', endptr - f)) {
- endptr = nptr;
- retval = -EINVAL;
- goto out;
} else {
- /* Extract into a 64-bit fixed-point fraction. */
+ char *e;
+ const char *tail;
+ g_autofree char *copy = g_strdup(endptr);
+
+ e = strchr(copy, 'e');
+ if (e) {
+ *e = '\0';
+ }
+ e = strchr(copy, 'E');
+ if (e) {
+ *e = '\0';
+ }
+ /*
+ * If this is a floating point, we are guaranteed that '.'
+ * appears before any possible digits in copy. If it is
+ * not a floating point, strtod will fail. Either way,
+ * there is now no exponent in copy, so if it parses, we
+ * know 0.0 <= abs(result) <= 1.0 (after rounding), and
+ * ERANGE is only possible on underflow which is okay.
+ */
+ retval = qemu_strtod_finite(copy, &tail, &fraction);
+ endptr += tail - copy;
+ }
+
+ /* Extract into a 64-bit fixed-point fraction. */
+ if (fraction == 1.0) {
+ if (val == UINT64_MAX) {
+ retval = -ERANGE;
+ goto out;
+ }
+ val++;
+ } else if (retval == -ERANGE) {
+ /* See comments above about underflow */
+ valf = 1;
+ retval = 0;
+ } else {
valf = (uint64_t)(fraction * 0x1p64);
}
}
+ if (retval) {
+ goto out;
+ }
+ if (memchr(nptr, '-', endptr - nptr) != NULL) {
+ endptr = nptr;
+ retval = -EINVAL;
+ goto out;
+ }
c = *endptr;
mul = suffix_mul(c, unit);
if (mul > 0) {
--
2.40.1
next prev parent reply other threads:[~2023-05-08 20:05 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 20:03 [PATCH 00/11] Fix qemu_strtosz() read-out-of-bounds Eric Blake
2023-05-08 20:03 ` [PATCH 01/11] test-cutils: Avoid g_assert in unit tests Eric Blake
2023-05-08 20:03 ` [PATCH 02/11] test-cutils: Use g_assert_cmpuint where appropriate Eric Blake
2023-05-08 20:03 ` [PATCH 03/11] test-cutils: Test integral qemu_strto* value on failures Eric Blake
2023-05-08 20:03 ` [PATCH 04/11] test-cutils: Add coverage of qemu_strtod Eric Blake
2023-05-08 20:03 ` [PATCH 05/11] test-cutils: Prepare for upcoming semantic change in qemu_strtosz Eric Blake
2023-05-08 20:03 ` [PATCH 06/11] test-cutils: Add more coverage to qemu_strtosz Eric Blake
2023-05-09 12:31 ` Hanna Czenczek
2023-05-09 12:42 ` Hanna Czenczek
2023-05-09 16:06 ` Eric Blake
2023-05-09 15:15 ` Hanna Czenczek
2023-05-09 15:50 ` Eric Blake
2023-05-09 16:10 ` Eric Blake
2023-05-08 20:03 ` [PATCH 07/11] numa: Check for qemu_strtosz_MiB error Eric Blake
2023-05-08 21:15 ` Eric Blake
2023-05-08 20:03 ` [PATCH 08/11] cutils: Set value in all qemu_strtosz* error paths Eric Blake
2023-05-08 20:03 ` [PATCH 09/11] cutils: Set value in all integral qemu_strto* " Eric Blake
2023-05-08 20:03 ` [PATCH 10/11] cutils: Improve qemu_strtod* " Eric Blake
2023-05-08 20:03 ` Eric Blake [this message]
2023-05-08 21:21 ` [PATCH 11/11] cutils: Improve qemu_strtosz handling of fractions Eric Blake
2023-05-09 17:54 ` Hanna Czenczek
2023-05-09 21:28 ` Eric Blake
2023-05-10 7:46 ` Hanna Czenczek
2023-05-10 7:48 ` Hanna Czenczek
2023-05-09 17:55 ` [PATCH 00/11] Fix qemu_strtosz() read-out-of-bounds Hanna Czenczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230508200343.791450-12-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).