Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int)
From: Philipp Kutin <p@...>
Date: Mon, 19 Sep 2011 18:00:03 +0200


On 09/19/2011 12:39 AM, Mike Pall wrote:

Umm, why? If the scripts originate from the same trust domain,
there's no point in adding any restrictions. You can blow up
memory or cause a hang (not caught by hooks) just with the
standard Lua library. And if the scripts are untrusted, better
watch out -- a truly perfect sandbox for Lua is hard.

The scripts are coded by gamers who wish to extend the functionality ofthe game, so it's not at the same trust level as the engine/game C code.The sandbox isn't so much supposed to be hardened against maliciousattacks, but operations visible to the script coder should definitely beconsistent across platforms and versions.

It relies on C and/or machine code to do the conversion, so it has
the same amount of 'undefinedness'.

Actually, I can guarantee that it doesn't cause an exception. But
the result for undefined inputs is definitely platform-dependent.
It could be anything, e.g. 0, INT_MIN, INT_MAX or a random result,
depending on the input.

OK, that's good to know, even though it means that pretty much allfunctions will have to be wrapped.

Truncation means rounding towards zero: 1.5 ->  1, -1.5 ->  -1

This doesn't say anything about out-of-range inputs. But at the
top of the semantics page it says that it follows the C standard
wherever possible, so out-of-range inputs are undefined.

Yeah, I figured that after my post, but still, the documentation doesn'texplicitly mention that carrying out C-undefined conversions givesundefined results. In fact, it suggests otherwise if you search for"undefined":


[quote]

Indexing a pointer/array: (...) An error is raised if the element sizeis undefined or a write access to a constant element is attempted.

Pointer arithmetic: (...) An error is raised if the element size isundefined.

64 bit integer arithmetic: (...) The undefined cases for the division,modulo and power operators return 2LL ^ 63 or 2ULL ^ 63.

[/quote]

Especially the last might suggest to a reader that all invalidconversions are somehow trapped and produce a special constant, andphrasings like "These conversion rules are *more or less* the same asthe standard C conversion rules" add to the uncertainty.


So, can something like the following be added to the spec?:

"

... it closely follows the C language semantics, wherever possible.Specifically, <this and that> should be considered undefined behaviouras per C standard.

It would give a lot more comfort to have this explicitly spelled out tobone-headed people like me :)



--Philipp

Follow-Ups:
- Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int), Mike Pall

References:
- LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int), Philipp Kutin
- Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int), Mike Pall

Prev by Date: Re: [PROPOSAL] Looking for contributors to write a modular book on Lua in French
Next by Date: Re: [PROPOSAL] Looking for contributors to write a modular book on Lua in French
Previous by thread: Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int)
Next by thread: Re: LuaJIT FFI: Semantics of undefined numeric conversions (e.g. huge double to int)
Index(es):
- Date
- Thread