From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.13]) by sourceware.org (Postfix) with ESMTPS id C77023840C34 for ; Sun, 14 Jun 2020 17:40:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C77023840C34 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP id kWcnjxXJlng7KkWcojIzfh; Sun, 14 Jun 2020 11:40:55 -0600 X-Authority-Analysis: v=2.3 cv=ecemg4MH c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=N54-gffFAAAA:8 a=OensOVJAAAAA:8 a=BzNatNYeAAAA:20 a=UaxpsevbhV85qK0kylkA:9 a=QEXdDO2ut3YA:10 a=6l0D2HzqY3Epnrm8mE3f:22 Reply-To: newlib@sourceware.org Subject: Re: undefined references since newlib-3.2.0 To: newlib@sourceware.org References: <87pna2hog9.fsf@keithp.com> <20200614145006.GG15174@raven.inka.de> <87k109h96z.fsf@keithp.com> From: Brian Inglis Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: Date: Sun, 14 Jun 2020 11:40:53 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <87k109h96z.fsf@keithp.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-CA Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfMalFIkqtTowu+XSW3S1u7FtcOpIDRDrw7Njs7Op6SRwujDXj8Xt1K9ZrOS8V6/T5iWvtTX/PvXVFutJKa6omMeMvLzq0uEH9jQOudr0q0mFvG/lc2md rRGNF6Oe14ESw5jW8Ea7gY56SkDbicf2lSfZQK8k9LRErm5TjQVycayRS9+jS955qJGtDdYzfhfzAQ== X-Spam-Status: No, score=-11.3 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_NUMSUBJECT, KAM_SHORT, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2020 17:40:57 -0000 On 2020-06-14 11:02, Keith Packard via Newlib wrote: > Josef Wolf writes: >>> atof >>> atoff >>> [ ... ] >>> strtod >>> strtof >>> strtold >>> wcstod >>> wcstold >>> strtodg >> Uh! Why on earth would those functions need to allocate memory? > Because they are performing string to float conversions using code > written in 1991 by David Gay, based on research done by Will Clinger > which shows that exact conversion from arbitrary strings of decimal > digits to fixed precision binary requires arbitrary precision > arithmetic. > https://dl.acm.org/doi/10.1145/93548.93557 >>> These now return infinity and set errno to ERANGE on allocation >>> failure. (not ideal, but the options are limited) >>> Here are some which do return a pointer, but do not document any errors: >>> ecvt >>> fcvt >> Maybe the documentation can be fixed? > The documentation is based on a standard, and fixing that standard > involves a bit of process... >>> gcvt >>> ecvtbuf >>> fcvtbuf >>> gcvtbuf >> Those get a pointer passed. No need to allocate memory. > These functions are using code also written by David Gay to perform > float to string conversion, based on research done by Guy Steele and Jon > White in how to print floating point numbers accurately (which happened > to be presented at the same conference as the work above!). In this > work, they showed that exact conversion could be done using 1050 bit > arithmetic to generate a 64-bit double result: > https://dl.acm.org/doi/10.1145/93548.93559 > David Gay's code in newlib for both directions uses arbitrary precision > arithmetic code found in newlib/libc/stdlib/mprec.c. This code allocates > variable sized arrays of integers on the heap to hold all of the values. > Before the eBalloc patch, none of these allocations were checked, > leading to a rather long list of CVEs as the code could end up storing > through a NULL pointer, which can cause security problems on some > architectures. >>> And here's a list of functions which I feel reasonable applications >>> should not expect an allocation error from: >> I don't think any application should expect those functions to call exit() >> and/or abort() either. > I'm in complete agreement here. It's better to return an error that an > application *might* check than to not give it any chance to recover at > all. >>> sprintf >>> snprintf >> Those should return -1 on failure. >>> sscanf >> For this, ENOMEM is documented. > Yes, but as I suggested, applications probably aren't expecting a call > to sscanf to return EOF and set errno to ENOMEM. > The real answer to your concerns is to replace the old arbitrary > precision based float/string conversion code with code that uses results > from new research by Ulf Adams. > That research improves on Steel & White by reducing the precision > required for exact 64-bit float to string conversion from 1050 bits to > 128 bits. Adams also presents an algorithm using a similar technique to > perform (a slightly weaker form of) exact string to float conversion in > the same precision: > https://dl.acm.org/citation.cfm?doid=3296979.3192369 Paper is available: https://www.researchgate.net/publication/329410883_Ryu_fast_float-to-string_conversion/link/5c073a3292851c6ca1ff1bdb/download > This reasonably small fixed precision can be statically allocated in > memory, or allocated on the stack. Either of these solutions eliminates > the use of the dynamic heap through malloc, and eliminates the need to > change the specification of all of these functions to account for the > heap usage in the existing newlib code. > Ulf Adams also published code to implement this algorithm on github: > https://github.com/ulfjack/ryu > I've ported this code to picolibc, a fork of newlib designed for > embedded systems. That library has an alternate stdio implementation > that doesn't need to use malloc, and it made sense to add this > malloc-free float/string conversion code to that (the previous > float/string conversion code in this implementation was not exact). When > compiled using that code, picolibc will not return errors from malloc > failures in the above cases because it does not call malloc in those > code paths. > The picolibc source repository also includes the stdio code from newlib > which can be used in place of the default picolibc stdio code by setting > a build option. That code has been modified to catch allocation > failures and return the failures above. I did that in case someone > wanted to use the original stdio code as I felt even this non-default > code should not expose applications to arbitrary calls to abort from > inside the library. I believe this code should be ported back to newlib > so that at least newlib wouldn't call abort. Even better would be to > have someone take a look at the Ryu paper and code and make that work in > newlib. > (The definition of 'exact' used in Ulf Adams work offers the guarantee > that you can print any floating point value, and then re-read that > string to exactly reproduce the original floating point value in > memory. This is weaker than what Clinger's research used; in that work, > the goal was to generate the floating point value closest to an > arbitrary string of decimal digits.) What are the accuracy tradeoffs, if any, vs memory vs time? Should both approaches be retained for flexibility and reproducibility? Hopefully any new approach added will be implemented as reentrant functions, using externally supplied memory if required, and some interfaces may provide that memory statically allocated. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.]