Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Floating Point Bug Can Lock Up Servers

Posted by Roblimo on from the here-a-bug-there-a-bug-everywhere-a-bug-bug dept.

An anonymous reader writes "Here we go again: Just like the recently-reported PHP Floating Point Bug causes servers to go into infinite loops when parsing certain double-precision floating-point numbers, Sun/Oracle's JVM does it, too. It gets better: you can lock up a thread on most servers just by sending a particular header value. Sun/Oracle has known about the bug for something like 10 years, but it's still not fixed. Java Servlet containers are patching to avoid the problem, but application code will still be vulnerable to user input."

10 of 157 comments (clear)

  1. Bullshit! by Anonymous Coward · · Score: 4, Funny

    Java is a secure virtual machine environment. Programs never crash and low level errors like pointer or memory problems are impossible. There is no way this floating point thing is real.

    Java is the future and you are retarded. Java is the fastest programming language ever invented, that's why it's the primary language we learn and teach in school.

    I have been a HTML programmer for many years, I know what I'm talking about.

    1. Re:Bullshit! by the+Atomic+Rabbit · · Score: 4, Funny

      There is no way this floating point thing is real.

      It has to be real. Java lacks built-in support for complex numbers.

  2. Re:About face! by sixfive0two · · Score: 3, Informative

    Actually, it's already fixed: Oracle has released a fix for this issue through Security Alert CVE-2010-4476. For more information see: http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html

  3. Re:Unless... by gstrickler · · Score: 3, Insightful

    Aren't Adobe products were simply a collection of bugs, artfully put together to form a useful, but slow and insecure program.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  4. Shocked! Shocked! by curmudgeon99 · · Score: 4, Funny

    As a more than decade-long Java programmer, I must say that I am shocked! Shocked! that Sun would do something like that.
    Why, I'd go so far as to predict that a company that behaved that way would find itself out of business.

    Hey, wait a second...

  5. Do NOT try this by c0lo · · Score: 3, Funny
    Try this:

    DO... NOT... TRY... THIS...

    Don't say I haven't warned you!!!!!

    --
    Questions raise, answers kill. Raise questions to stay alive.
  6. Fixed available by Wookie+Monster · · Score: 5, Informative

    Oracle has posted a fix for the bug, in the form of a patch. Official releases will be available next week. http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html

  7. It is not the JVM .... by Chrisq · · Score: 5, Insightful

    The article makes it clear that the problem is in FloatingDecimal.java. It is converting decimal strings to floating point numbers - fp arithmetic is fine!

    1. Re:It is not the JVM .... by CynicTheHedgehog · · Score: 3, Informative

      I haven't used floats or doubles in a long time. From a business perspective (think monetary values) it almost always makes more sense to use BigDecimal and apply rounding rules, particularly if those values are stored in a database where scale and precision are known or required. I would imagine the same would be true for scientific values, GIS coordinates, etc. (anything with a known precision). The only use for float/double that comes to mind is something where absolute precision isn't critical and speed is important, such as graphics/physics calculations for games, in which case you generally wouldn't be parsing user-entered values anyway.

      Also, the default/packaged JSF numeric input converters produce either Long or BigDecimal values (per spec) depending on whether a decimal is present, so this should only affect a very small subset of use cases that are easily patched or avoided (old JSP/servlet code, Struts, etc.)

  8. Re:About face! by petermgreen · · Score: 3, Insightful

    Yeah bugs that pop up every so often to end users (and are common enough or reported by trusted enough users that they can't just by dismissed as coming from liers/trolls) but only pop up sporadically and/or only pop up on certain systems are a big problem for developers. With no reliable way to reproduce a bug it is almost impossible to fix it.

    Even more irritating are the bugs that dissapear as soon as you try to use a debugger.

    The firefox memory and CPU usage issues are good examples of this. Way too many users reported them to dismiss them as a lie or fluke but there was no set of steps to reproduce. Every so often one cause was found and squashed but they kept coming up for years and may still be doing so (I still see firefox crash for no apparent reason and it wouldn't surprise me if the cause is running out of address space).

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register