replica
/
hanchenye-llvm-project
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[libc++] Fix potential OOB in poisson_distribution 

See details in the original Chromium bug report:
    https://bugs.chromium.org/p/chromium/issues/detail?id=994957
This commit is contained in:
Louis Dionne 2019-11-07 12:06:14 +00:00
parent 69ce2ae990
commit 0ec6a4882e
3 changed files with 98 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
libcxx/include/random
View File

@ -4592,7 +4592,10 @@ public:
template<class _IntType> template<class _IntType>
poisson_distribution<_IntType>::param_type::param_type(double __mean) poisson_distribution<_IntType>::param_type::param_type(double __mean)
: __mean_(__mean) // According to the standard `inf` is a valid input, but it causes the
// distribution to hang, so we replace it with the maximum representable
// mean.
: __mean_(isinf(__mean) ? numeric_limits<double>::max() : __mean)
{ {
if (__mean_ < 10) if (__mean_ < 10)
{ {
@ -4610,7 +4613,7 @@ poisson_distribution<_IntType>::param_type::param_type(double __mean)
{ {
__s_ = _VSTD::sqrt(__mean_); __s_ = _VSTD::sqrt(__mean_);
__d_ = 6 * __mean_ * __mean_; __d_ = 6 * __mean_ * __mean_;
__l_ = static_cast<result_type>(__mean_ - 1.1484); __l_ = std::trunc(__mean_ - 1.1484);
__omega_ = .3989423 / __s_; __omega_ = .3989423 / __s_;
double __b1_ = .4166667E-1 / __mean_; double __b1_ = .4166667E-1 / __mean_;
double __b2_ = .3 * __b1_ * __b1_; double __b2_ = .3 * __b1_ * __b1_;
@ -4627,12 +4630,12 @@ template<class _URNG>
_IntType _IntType
poisson_distribution<_IntType>::operator()(_URNG& __urng, const param_type& __pr) poisson_distribution<_IntType>::operator()(_URNG& __urng, const param_type& __pr)
{ {
result_type __x; double __tx;
uniform_real_distribution<double> __urd; uniform_real_distribution<double> __urd;
if (__pr.__mean_ < 10) if (__pr.__mean_ < 10)
{ {
__x = 0; __tx = 0;
for (double __p = __urd(__urng); __p > __pr.__l_; ++__x) for (double __p = __urd(__urng); __p > __pr.__l_; ++__tx)
__p *= __urd(__urng); __p *= __urd(__urng);
} }
else else
@ -4642,19 +4645,19 @@ poisson_distribution<_IntType>::operator()(_URNG& __urng, const param_type& __pr
double __u; double __u;
if (__g > 0) if (__g > 0)
{ {
__x = static_cast<result_type>(__g); __tx = std::trunc(__g);
if (__x >= __pr.__l_) if (__tx >= __pr.__l_)
return __x; return std::__clamp_to_integral<result_type>(__tx);
__difmuk = __pr.__mean_ - __x; __difmuk = __pr.__mean_ - __tx;
__u = __urd(__urng); __u = __urd(__urng);
if (__pr.__d_ * __u >= __difmuk * __difmuk * __difmuk) if (__pr.__d_ * __u >= __difmuk * __difmuk * __difmuk)
return __x; return std::__clamp_to_integral<result_type>(__tx);
} }
exponential_distribution<double> __edist; exponential_distribution<double> __edist;
for (bool __using_exp_dist = false; true; __using_exp_dist = true) for (bool __using_exp_dist = false; true; __using_exp_dist = true)
{ {
double __e; double __e;
if (__using_exp_dist || __g < 0) if (__using_exp_dist || __g <= 0)
{ {
double __t; double __t;
do do
@ -4664,31 +4667,31 @@ poisson_distribution<_IntType>::operator()(_URNG& __urng, const param_type& __pr
__u += __u - 1; __u += __u - 1;
__t = 1.8 + (__u < 0 ? -__e : __e); __t = 1.8 + (__u < 0 ? -__e : __e);
} while (__t <= -.6744); } while (__t <= -.6744);
__x = __pr.__mean_ + __pr.__s_ * __t; __tx = std::trunc(__pr.__mean_ + __pr.__s_ * __t);
__difmuk = __pr.__mean_ - __x; __difmuk = __pr.__mean_ - __tx;
__using_exp_dist = true; __using_exp_dist = true;
} }
double __px; double __px;
double __py; double __py;
if (__x < 10) if (__tx < 10 && __tx >= 0)
{ {
const double __fac[] = {1, 1, 2, 6, 24, 120, 720, 5040, const double __fac[] = {1, 1, 2, 6, 24, 120, 720, 5040,
40320, 362880}; 40320, 362880};
__px = -__pr.__mean_; __px = -__pr.__mean_;
__py = _VSTD::pow(__pr.__mean_, (double)__x) / __fac[__x]; __py = _VSTD::pow(__pr.__mean_, (double)__tx) / __fac[static_cast<int>(__tx)];
} }
else else
{ {
double __del = .8333333E-1 / __x; double __del = .8333333E-1 / __tx;
__del -= 4.8 * __del * __del * __del; __del -= 4.8 * __del * __del * __del;
double __v = __difmuk / __x; double __v = __difmuk / __tx;
if (_VSTD::abs(__v) > 0.25) if (_VSTD::abs(__v) > 0.25)
__px = __x * _VSTD::log(1 + __v) - __difmuk - __del; __px = __tx * _VSTD::log(1 + __v) - __difmuk - __del;
else else
__px = __x * __v * __v * (((((((.1250060 * __v + -.1384794) * __px = __tx * __v * __v * (((((((.1250060 * __v + -.1384794) *
__v + .1421878) * __v + -.1661269) * __v + .2000118) * __v + .1421878) * __v + -.1661269) * __v + .2000118) *
__v + -.2500068) * __v + .3333333) * __v + -.5) - __del; __v + -.2500068) * __v + .3333333) * __v + -.5) - __del;
__py = .3989423 / _VSTD::sqrt(__x); __py = .3989423 / _VSTD::sqrt(__tx);
} }
double __r = (0.5 - __difmuk) / __pr.__s_; double __r = (0.5 - __difmuk) / __pr.__s_;
double __r2 = __r * __r; double __r2 = __r * __r;
@ -4708,7 +4711,7 @@ poisson_distribution<_IntType>::operator()(_URNG& __urng, const param_type& __pr
} }
} }
} }
return __x; return std::__clamp_to_integral<result_type>(__tx);
} }
template <class _CharT, class _Traits, class _IntType> template <class _CharT, class _Traits, class _IntType>

11
libcxx/test/std/numerics/rand/rand.dis/rand.dist.bern/rand.dist.bern.geo/eval.pass.cpp
View File

@ -30,6 +30,16 @@ sqr(T x)
return x * x; return x * x;
} }
void test_small_inputs() {
std::mt19937 engine;
std::geometric_distribution<std::int16_t> distribution(5.45361e-311);
typedef std::geometric_distribution<std::int16_t>::result_type result_type;
for (int i = 0; i < 1000; ++i) {
volatile result_type res = distribution(engine);
((void)res);
}
}
void void
test1() test1()
{ {
@ -296,6 +306,7 @@ int main(int, char**)
test4(); test4();
test5(); test5();
test6(); test6();
test_small_inputs();
return 0; return 0;
} }

64
libcxx/test/std/numerics/rand/rand.dis/rand.dist.pois/rand.dist.pois.poisson/eval.pass.cpp
View File

@ -30,6 +30,67 @@ sqr(T x)
return x * x; return x * x;
} }
void test_bad_ranges() {
// Test cases where the mean is around the largest representable integer for
// `result_type`. These cases don't generate valid poisson distributions, but
// at least they don't blow up.
std::mt19937 eng;
{
std::poisson_distribution<std::int16_t> distribution(32710.9);
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
std::poisson_distribution<std::int16_t> distribution(std::numeric_limits<std::int16_t>::max());
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
std::poisson_distribution<std::int16_t> distribution(
static_cast<double>(std::numeric_limits<std::int16_t>::max()) + 10);
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
std::poisson_distribution<std::int16_t> distribution(
static_cast<double>(std::numeric_limits<std::int16_t>::max()) * 2);
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
// We convert `INF` to `DBL_MAX` otherwise the distribution will hang.
std::poisson_distribution<std::int16_t> distribution(std::numeric_limits<double>::infinity());
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
std::poisson_distribution<std::int16_t> distribution(0);
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
{
// We convert `INF` to `DBL_MAX` otherwise the distribution will hang.
std::poisson_distribution<std::int16_t> distribution(-100);
for (int i=0; i < 1000; ++i) {
volatile std::int16_t res = distribution(eng);
((void)res);
}
}
}
int main(int, char**) int main(int, char**)
{ {
{ {
@ -150,5 +211,6 @@ int main(int, char**)
assert(std::abs((kurtosis - x_kurtosis) / x_kurtosis) < 0.01); assert(std::abs((kurtosis - x_kurtosis) / x_kurtosis) < 0.01);
} }
return 0; test_bad_ranges();
return 0;
} }