Title: _PyTime_FromDouble() fails to detect an integer overflow when converting a C double to a C int64_t
Type: behavior Stage: patch review
Components: Versions: Python 3.8, Python 3.7
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, graingert, skrah, tim.peters, vstinner
Priority: normal Keywords: patch

Created on 2020-01-09 14:43 by graingert, last changed 2020-06-25 09:57 by skrah.

Pull Requests
URL Status Linked Edit
PR 17933 open vstinner, 2020-01-10 09:51
Messages (7)
msg359682 - (view) Author: Thomas Grainger (graingert) * Date: 2020-01-09 14:43
_PyTime_FromDouble() fails to detect an integer overflow when converting a C double to a C int64_t

Python 3.7.5 (default, Nov 20 2019, 09:21:52) 
[GCC 9.2.1 20191008] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import time
>>> time.sleep(9223372036.854777)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: sleep length must be non-negative
msg359683 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-09 14:52
It's a bug in _PyTime_FromDouble() which fails to detect the integer overflow when casting a C double to a C _PyTime_T (int64_t): bug in _Py_InIntegralTypeRange(_PyTime_t, d) where d is a C double.

On my Fedora 31, double is a 64-bit IEEE 754 float, _PyTime_t is int64_t (64-bit signed integer).

_PyTime_t maximum is 9223372036854775807. But casted as C double, it becomes 9223372036854775808:

>>> int(float(9223372036854775807))
msg359710 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-10 08:23
_PyTime_FromDouble() checks if!(_Py_DoubleInIntegralTypeRange(_PyTime_t, d)) with the macro:

#define _Py_InIntegralTypeRange(type, v) (_Py_IntegralTypeMin(type) <= v && v <= _Py_IntegralTypeMax(type))

and _Py_IntegralTypeMax(type)=2**63-1.

"v <= _Py_IntegralTypeMax(type)" compares a C double to a C int64_t: the compiler casts the C int64_t to a C double.

The problem is that 2**63-1 casted to a C double rounds using ROUND_HALF_EVEN rounding mode which gives a number *greater* than 2**63-1: we get 2**63.

To implement "v <= max", we have to round max towards zero (ROUND_DOWN), not round it using ROUND_HALF_EVEN.

I didn't find a way to control the rounding mode of casting C int64_t to C double, but we can round it *afterwards* using nextafter(max, 0.0) (ROUND_DOWN).
msg359728 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-10 15:03
Similar issue in HHVM:

msg364021 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-03-12 14:02
Oh, clang on FreeBSD spotted a similar bug in float.__trunc__()!

static PyObject *
float___trunc___impl(PyObject *self)
/*[clinic end generated code: output=dd3e289dd4c6b538 input=591b9ba0d650fdff]*/
    double x = PyFloat_AsDouble(self);
    double wholepart;           /* integral portion of x, rounded toward 0 */

    (void)modf(x, &wholepart);
    /* Try to get out cheap if this fits in a Python int.  The attempt
     * to cast to long must be protected, as C doesn't define what
     * happens if the double is too big to fit in a long.  Some rare
     * systems raise an exception then (RISCOS was mentioned as one,
     * and someone using a non-default option on Sun also bumped into
     * that).  Note that checking for >= and <= LONG_{MIN,MAX} would
     * still be vulnerable:  if a long has more bits of precision than
     * a double, casting MIN/MAX to double may yield an approximation,
     * and if that's rounded up, then, e.g., wholepart=LONG_MAX+1 would
     * yield true from the C expression wholepart<=LONG_MAX, despite
     * that wholepart is actually greater than LONG_MAX.
    if (LONG_MIN < wholepart && wholepart < LONG_MAX) {  /* <=== HERE */
        const long aslong = (long)wholepart;
        return PyLong_FromLong(aslong);
    return PyLong_FromDouble(wholepart);

Objects/floatobject.c:881:45: warning: implicit conversion from 'long' to 'double' changes value from 9223372036854775807 to 9223372036854775808
    if (LONG_MIN < wholepart && wholepart < LONG_MAX) {
                                          ~ ^~~~~~~~
/usr/include/sys/limits.h:64:18: note: expanded from macro 'LONG_MAX'
#define LONG_MAX        __LONG_MAX      /* max for a long */
/usr/include/x86/_limits.h:64:20: note: expanded from macro '__LONG_MAX'
#define __LONG_MAX      0x7fffffffffffffff      /* max for a long */
1 warning generated.
msg372294 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2020-06-24 23:30
Is it a bug in float.__trunc__()? It seems to me that the detailed comment accounts for case of rounding up.

That's why < is used instead of <=.
msg372335 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2020-06-25 09:57
C99, Real floating and integer:

When a value of integer type is converted to a real floating type, if the value being
converted can be represented exactly in the new type, it is unchanged. If the value being
converted is in the range of values that can be represented but cannot be represented

exactly, the result is either the nearest higher or nearest lower representable value, chosen
in an implementation-defined manner. If the value being converted is outside the range of
values that can be represented, the behavior is undefined.

So int64_t => double is implementation defined, but not undefined.

float___trunc___impl() looks correct to me (of course we can squash
that warning).
Date User Action Args
2020-06-25 09:57:05skrahsetmessages: + msg372335
2020-06-24 23:30:30skrahsetnosy: + skrah, tim.peters
messages: + msg372294
2020-03-12 14:02:30vstinnersetmessages: + msg364021
2020-01-10 15:03:44vstinnersetmessages: + msg359728
2020-01-10 09:51:13vstinnersetkeywords: + patch
stage: patch review
pull_requests: + pull_request17338
2020-01-10 08:23:22vstinnersetmessages: + msg359710
2020-01-09 15:02:52graingertsetversions: - Python 2.7
2020-01-09 14:52:07vstinnersetnosy: + benjamin.peterson
messages: + msg359683
2020-01-09 14:43:45graingertcreate