gnuplot-beta

General bug - No out of bounds checking on 3D coordinates

[Ethan A M. <merritt@u.washington.edu>]

I have encountered a nasty bug that has been around since forever.
It is not obvious to me what is the best way to deal with it.

The basic problem is that the 3D mapping routine map3d_xy() in util3d.c
stuffs its output into (unsigned int) terminal coordinates.
But it does so without ever checking that the results are positive numbers.  

This may also happen with 2D plots, but if so I haven't encountered it yet.

Most of the terminal drivers simply clip the resulting absurd values,
so the error goes unnoticed.  But the pdf driver does not, and it would
be messy to do so. The illegal values are passed into routines
in libpdf, which prints an error message and then calls exit().

How should we deal with this?

- Have map3d_xy() call int_error() if the coordinates go negative?

- Have map3d_xy() siliently truncate to zero?

- Have map3d_xy() truncate, but not so silently?

- Change map3d_xy() to return floating point numbers, and have the
  caller deal with testing for negative values and then converting into
  unsigned ints afterward?

- Continue to return unsigned ints but make map3d_xy type 
  (int) rather than (void), and require that the calling routine check for
  error status in the return code?

- Leave map3d_xy() alone, and deal with it driver-by-driver, if needed?
  In the case of pdf.trm this would mean testing all coordinates passed
  to the driver.

My inclination is to silently truncate to zero, but because this is not
real clipping it can cause strange-looking output plots (extra junk
piles up along the bottom and left edge).

The cleanest is probably to return an error from map3d_xy, but since
there are roughly 100 call sites this would be a *lot* of extra code to
handle error checking.

-- 
Ethan A Merritt
Department of Biochemistry & Biomolecular Structure Center
University of Washington, Seattle

Re: General bug - No out of bounds checking on 3D coordinates

[Daniel J S. <dan...@ie...>]

Ethan A Merritt wrote:

>I have encountered a nasty bug that has been around since forever.
>It is not obvious to me what is the best way to deal with it.
>
>The basic problem is that the 3D mapping routine map3d_xy() in util3d.c
>stuffs its output into (unsigned int) terminal coordinates.
>But it does so without ever checking that the results are positive numbers.  
>
>This may also happen with 2D plots, but if so I haven't encountered it yet.
>
>Most of the terminal drivers simply clip the resulting absurd values,
>so the error goes unnoticed.  But the pdf driver does not, and it would
>be messy to do so. The illegal values are passed into routines
>in libpdf, which prints an error message and then calls exit().
>
>How should we deal with this?
>
>- Have map3d_xy() call int_error() if the coordinates go negative?
>

Hmm.  Are you referring to situations where, say, some zoom and viewing 
angle is such that coordinates go negative?  I would think that could 
happen fairly often, no?  And in some sense it really isn't an error, is it?

>- Have map3d_xy() siliently truncate to zero?
>

Don't like this one.  map3d_xy() is more of a utility type routine, and 
as such it shouldn't assume too much about the final manner in which the 
data is used.  Here is one case in point.  The image stuff has the 
option of varifying the whole grid us uniformly spaced.  Move some of 
the negative coordinates and it could possible mess up the routine. 
 Even though the final routine may never use those points, the routine 
will think it is not a uniform grid.

>- Have map3d_xy() truncate, but not so silently?
>

How do you mean?

>- Change map3d_xy() to return floating point numbers, and have the
>  caller deal with testing for negative values and then converting into
>  unsigned ints afterward?
>
>- Continue to return unsigned ints but make map3d_xy type 
>  (int) rather than (void), and require that the calling routine check for
>  error status in the return code?
>
>- Leave map3d_xy() alone, and deal with it driver-by-driver, if needed?
>  In the case of pdf.trm this would mean testing all coordinates passed
>  to the driver.
>

Can signed ints be passed back to avoid the use of floating point?  I'd 
prefer that the final routine using the numbers do the sanity check. 
 I'm wondering if, in fact, the pdf utility calls inside pdf.trm don't 
already take care of that, and if one passed a negative coordinate into 
the routines instead of a mangled unsigned coordinate it might know what 
to do, e.g., truncate a line at the border.

Dan

Re: General bug - No out of bounds checking on 3D coordinates

[Ethan A M. <merritt@u.washington.edu>]

On Sunday 04 July 2004 11:46 am, Ethan A Merritt wrote:
>
> The basic problem is that the 3D mapping routine map3d_xy() in util3d.c
> stuffs its output into (unsigned int) terminal coordinates.
> But it does so without ever checking that the results are positive numbers.
>
> This may also happen with 2D plots, but if so I haven't encountered it yet.

But now I have.
The new emf driver segfaults in arrowstyle.dem for the same reason:

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) where
#0  0x00000000 in ?? ()
#1  0x080ab1d8 in do_arrow (sx=0, sy=0, ex=135447060, ey=135447060, head=0) at 
term.c:938
#2  0x0806917b in place_arrows (layer=0) at graphics.c:1114


-- 
Ethan A Merritt
Department of Biochemistry & Biomolecular Structure Center
University of Washington, Seattle

Re: General bug - No out of bounds checking on 3D coordinates

[Hans-Bernhard B. <br...@ph...>]

Ethan A Merritt wrote:

> Program received signal SIGSEGV, Segmentation fault.
> 0x00000000 in ?? ()
> (gdb) where
> #0  0x00000000 in ?? ()
> #1  0x080ab1d8 in do_arrow (sx=0, sy=0, ex=135447060, ey=135447060, head=0) at 
> term.c:938
> #2  0x0806917b in place_arrows (layer=0) at graphics.c:1114

Well, I *did* mention "set arrow to far away points causes garbage" bug 
report, didn't I?

-- 
Hans-Bernhard Broeker (br...@ph...)
Even if all the snow were burnt, ashes would remain.