

A Closer Look at the Java 2.2250738585072012e-308 Bug - pietrofmaggi
http://www.exploringbinary.com/a-closer-look-at-the-java-2-2250738585072012e-308-bug/

======
pilif
What I think is amazing is the fact that there's a bug from November of 2009
(<http://bugs.openjdk.java.net/show_bug.cgi?id=100119>) that's first reporting
the issue.

So there was a known denial of service vulnerability in Java for more than a
year before people recognized it as that and actually started bothering to fix
it.

~~~
wnoise
Problems with it date back to 2001, actually:

<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4421494>

(Ergh, except fucking Oracle broke that. But
<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4396272> also shows the
boundary case not quite doing the right thing.)

~~~
pasbesoin
Your second link is dead now, too.

EDIT: Now it's come up, upon retrying after some minutes.

------
stalar
Fix is available. See:
[http://blogs.oracle.com/security/2011/02/security_alert_for_...](http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html)
and
[http://www.oracle.com/technetwork/java/javase/downloads/inde...](http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater)

------
adaml_623
I thought this was a side effect from a GCC bug when it affected PHP. So does
Java use the same algorithm for generating machine code at it's lowest level?

~~~
pietrofmaggi
No, It's a different problem, as stated in the article:

"Java’s decimal to floating-point conversion routine is java code, although
obviously modeled on David Gay’s C code. Apparently, it was changed just
enough to avoid the x87 error — but it introduced a new error."

------
joubert
Good analysis. I sure hope a unit test will be added to the Java code base to
cover this boundary case.

------
fedd
so when/how would the fix get into some java update?

