From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=7/Nl=JJ=vinc17.net=vincent@sourceware.org>
Received: from cventin.lip.ens-lyon.fr (cventin.lip.ens-lyon.fr [140.77.13.17])
	by sourceware.org (Postfix) with ESMTPS id DEE5C3858C29
	for <libc-alpha@sourceware.org>; Wed, 31 Jan 2024 16:23:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DEE5C3858C29
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=vinc17.net
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=vinc17.net
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DEE5C3858C29
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.77.13.17
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706718185; cv=none;
	b=ijLMOgeLxquHzlFxxSexJKwBgdpHH8JLxpSb6OJPPEOwW4JoHuZp5LIj9ZvFp/aNeuKtX2wGUS7swhTDmFH3ucq4LdQUy3E4P9RE+hO6lMZKR8RLjNX/9rVHjL3f+AGY5VNqRJ2mhmOnmHLksp641enr0+kFpNF+AxJRW4DfcUA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1706718185; c=relaxed/simple;
	bh=FXy1D23cWFRw89U3gJl4MMjaUBvmwaFc3P/xPd2rV5k=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=c18m6p0nA2ulcn7MclE/xid4FPPPNZb4Tb9LhZtzhluQDJYQLVQvgnETANnFf8trl4E9dD/qZDlGQZC5T1nNwzLE72nLFM8XFc2cBMie6rVU1J0SC7+cdeYbQXkTyf908nYOHGJgwsRUzMf6RGNW1s2udwHHbterHEbZwK1uywk=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from vlefevre by cventin.lip.ens-lyon.fr with local (Exim 4.97)
	(envelope-from <vincent@vinc17.net>)
	id 1rVDMc-00000000CwK-2xaW;
	Wed, 31 Jan 2024 17:23:02 +0100
Date: Wed, 31 Jan 2024 17:23:02 +0100
From: Vincent Lefevre <vincent@vinc17.net>
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Xi Ruoyao <xry111@xry111.site>,
	Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
	"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
	"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
Subject: Re: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
Message-ID: <20240131162302.GC2102@cventin.lip.ens-lyon.fr>
Mail-Followup-To: Vincent Lefevre <vincent@vinc17.net>,
	Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
	Xi Ruoyao <xry111@xry111.site>,
	Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
	"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
	"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
References: <vCs-fh6jYIOa_9Ru0H0tlrhIOOu811b3JBhYJsT4tZsBJWVmBR06ttykt_pmw9clWd8zNsiSIShRyYjpq7muFtpVYBGfMvvhB3Kk8-AfUEE=@protonmail.com>
 <b6e0bf7d3e0376b37861226cb84e7eca190beb78.camel@xry111.site>
 <20240131145555.GB2102@cventin.lip.ens-lyon.fr>
 <c622583d-a7f5-45ad-8195-0d8238469823@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <c622583d-a7f5-45ad-8195-0d8238469823@linaro.org>
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/2.2.12+69 (354c5b11) vl-149028 (2023-12-10)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2024-01-31 12:52:35 -0300, Adhemerval Zanella Netto wrote:
> On 31/01/24 11:55, Vincent Lefevre wrote:
[...]
> > This is what the ISO C standard says. But the glibc manual explicitly
> > allows non-transitive comparators.
> > 
> > See the example in 9.1 Defining the Comparison Function:
> > 
> >    Here is an example of a comparison function which works with an array
> > of numbers of type ‘double’:
> > 
> >      int
> >      compare_doubles (const void *a, const void *b)
> >      {
> >        const double *da = (const double *) a;
> >        const double *db = (const double *) b;
> > 
> >        return (*da > *db) - (*da < *db);
> >      }
> > 
> > The non-transitivity can be demonstrated with the following test
> > program:
> > 
> > #include <stdio.h>
> > #include <math.h>
> > 
> > int
> > compare_doubles (const void *a, const void *b)
> > {
> >   const double *da = (const double *) a;
> >   const double *db = (const double *) b;
> > 
> >   return (*da > *db) - (*da < *db);
> > }
> > 
> > int main (void)
> > {
> >   double t[3] = { 1.0, NAN, 2.0 };
> >   printf ("%d\n", compare_doubles(t+0, t+1));
> >   printf ("%d\n", compare_doubles(t+1, t+2));
> >   printf ("%d\n", compare_doubles(t+0, t+2));
> >   return 0;
> > }
> > 
> > which gives
> > 
> > 0
> > 0
> > -1
> > 
> > while the initial 0 0 implies a third 0 with a transitive comparator.
> 
> I see this is an manual issue rather than a GNU 'extension' to qsort semantic.
> And I think we should fix BZ#31322 by using a transitive comparison instead of
> trying to support such cases.

If this was intentional, users may already use such a nontransitive
comparison function. If this was not intentional, this shows that
the problem is not obvious and that users less experienced than the
glibc developers may fall in such a trap. So, in addition to make
the glibc manual clear on the subject, I think that the library
should handle such cases gracefully rather than considering that
such cases will never occur. For instance, this could be just an
indeterminate ordering. Or if the goal is to warn the user about
the issue (in case it is detected), an assertion failure instead
of indeterminate ordering.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)