[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Integer overflow in functor/3

From: Mark Barbone
Subject: Integer overflow in functor/3
Date: Sat, 14 Nov 2020 22:25:10 -0800

Hi all,

I've found a minor bug in functor/3.  With an arity argument outside the range of an int, the value is truncated into the size of an int.

Here are two examples of potential outcomes, along with a correct example that doesn't have overflow:

| ?- X is 1<<32 + 3, functor(F, hi, X).

F = hi(_,_,_)
X = 4294967299

| ?- X is 1<<31, functor(F, hi, X).    
uncaught exception: error(type_error(atom,hi),functor/3)
| ?- X is 1<<31 - 1, functor(F, hi, X).
uncaught exception: error(representation_error(max_arity),functor/3)

I would expect all of these to be representation_errors.  The second example happens because of  a catch-all error clause in Pl_Blt_Functor (term_inl_c.c, line 282):

  // ... checks if arity > 0 and functor_word is valid
  if (arity != 0)
    Pl_Err_Type(pl_type_atom, functor_word);

The root cause is that arity is declared as an integer, instead of a PlLong (term_inl_c.c, line 225):

  int arity;

Thanks, and I hope the bug report helps.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]