Feeds

back to article PHP apps plagued by Mark of the Beast bug

Web developers are in a lather following the discovery of a bug in the PHP programming language that causes computers to freeze when they process certain numerical values with large numbers of decimal places. The error in the way floating-point and double-precision numbers are handled sends 32-bit systems running Linux, Windows …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Flame

haha web devs

I wonder if web devs will still try and convince the world PHP is a serious non mickey mouse language and they are real software developers.

4
34

To all you PHP haters...

I hadn't noticed any malice toward PHP until reading the comments for this article. Having since conducted a Web search for problems regarding PHP, it seems in all cases dislike for PHP stems from an inability or unwillingness to employ an effective programming methodology, as opposed to anything specifically regarding PHP.

@asdf, Thyratron, Greg: PHP is only as insecure as one's unwillingness to put some effort into the art of code design. In my experience, compiled languages lend themselves to far more buggy results than the likes of PHP. So what exactly is it that irks you lot about PHP? How is it insecure or "mickey mouse"? Get specific, for pity's sake. No one likes a hater!

14
0
Silver badge

Mickey mouse ?

Don't confuse the language with its users. PHP makes it very easy to get web applications up and running. Some of these are done by people who don't understand what they are doing and who write truely dreadful code - why blame the language for this ?

6
0
FAIL

VB?

Visual Basic programmer? You sound like it.

PHP is not really any different from any other language - the results depend on the competence of the programmer.

5
0
Unhappy

Re: To all you PHP haters...

> So what exactly is it that irks you lot about PHP? How is it insecure or "mickey mouse"? Get specific, for pity's sake.

As I probably didn't make clear enough in my "Testing times" comment, it's not the language itself that lacks rigour, but the people who use it. Yes, I'm sure there's a core of specialists who use effective methodologies, but most of the people I come across who claim to be PHP programmers are little more than 'script kiddies' copy-and-pasting fragments of other people's code without comprehension.

Whilst this might not matter much for simple websites, the trend is for more business processes to be moved online, and with it there is the danger they will be ineptly coded by this shower. Then it will matter.

(When you've finished downvoting me, pop over to Amazon and buy a programming book :-)

1
3
Anonymous Coward

So...

So, it's ok to blame the users of a language for problems caused by its use, however I'll bet if you blame users of Windows for setting it up wronlgly it'll be "stupid Microsoft's" fault.

3
1
Silver badge

@asdf, Thyratron....Greg???

Me?? I was taking the piss! I'm a PHP coder! I've got a sodding ZCE (yes, I know)!

0
0
Joke

what if...

You don't compile it with the --pentium flag?

6
0

Doesn't affect 64 bit machines?

If this doesn't affect 64bit servers then I'd imagine the majority of anything half decently new and running non-Windows OS is likely to be unaffected...?

@asdf - like Python, C#, Java, Ruby, Perl, ASP, .NET stuff and pretty much everything else out there it's got bugs but then real programming languages don't have bugs, do they...err.

12
2
Happy

I now regret an attempt at funny

I knew I shouldn't have written "exactually"... now I've been sicced. Luckily the article says "A user names Pomax" instead of "named", so I guess it's 1 for 1.

- Pomax

7
0
Thumb Up

I like it

"exactually" for the dictionary!

0
0
Coat

Why has this gone on for so long...

something doesn't add up...

4
0

I won't say there's nothing sadder than watching a web developer try to defend PHP's reputation.

It is, nonetheless, far from an uplifting sight.

2
21
Troll

Yawn

Yeah, that PHP must suck so bad, given that only three quarters of the Internet uses it, including some of the largest, most popular sites in the world with hundreds of millions of users. How about giving us some details of your complaints, assuming you actually have any...

What's next - MySQL isn't a "real database"?

6
1
FAIL

Title Schmitle

Apparently you never learned that sometimes it isn't the best offering that becomes the dominant one. Look at most of Microsoft's offerings.

1
1
Silver badge

Predictable post of the day

Insert anti-PHP "insecure garbage" rant from Perl developer here.

9
1
Grenade

Hmmmm ...

"I wonder if web devs will still try and convince the world PHP is a serious non mickey mouse language and they are real software developers."

And to think this used to be a website for people interested in and well-versed with technology.

15
0
Unhappy

Testing times

What's so amazing about this story is that it has taken so long for this bug to emerge. I can understand how most PHP programmers wouldn't bother with proper testing, but for not a single one of them to find this until now is astounding. I don't think I'll be recruiting any PHP 'programmers' for a while.

Back when I used punched cards...

0
9
FAIL

Why would I find it?

I develop in PHP pretty exclusively, but since I don't ever accept input from the user without screening it, and I can't remember the last time I ever used (float) to typecast it to a float, I'm always using ints when the data should be numeric.

So according to your theory, I should have hit the bug long before now - but seeing how I've never had to write anything processing exponentials, or variables that long, it's not something I ever encountered since I made sure I turned it into a format that was safe for use *before* I used it.

Incidentally, I just tested some of the code I work with and I can't trigger this on either PHP 5.2 or 5.3... is that because I'm a bad programmer and didn't test it initially, or because I'm a good programmer and made sure I wasn't going to get invalid/nonsensical input in the first place?

10
0
Stop

Re: Testing times

Surely you would hire a PHP developer if you need some PHP written? And of course, you are smart enough to recognise the difference between the language PHP and C that it's engine and other gubbinz are written in, aren't you? Although that would mean you wouldn't recruit any C developers as surely they are tainted by association. And as C developers rule the world (sorry Java/Perl :-) ) that kinda narrows down the talent pool.

On a side note i suspect this bug hasn't been noticed because anyone using PHP for serious maths heavy work uses a combination of 64bit (where the bug doesn't seem to exist), and BC math or GNU Multiple Precision extensions which i suspect don't touch the bug causing code

(I suspect i may have just fed the troll but oh well)

2
1
FAIL

Define Proper Testing

"What's so amazing about this story is that it has taken so long for this bug to emerge. I can understand how most PHP programmers wouldn't bother with proper testing,"

Testing is incredibly valuable, but there are diminishing returns as you generate a more and more comprehensive test suite. When the value of the returns is less than the cost of fixing a bug when it occurs 'in the field' as a project manager you have to say "enough is enough".

Given that this bug hasn't manifested itself as problematic in the real world (or there would have been much squealing well before now), and the code-base of PHP driven websites out there, then I think someone pretty much got that balance right.

I'm glad you're not my boss on the one hand demanding such a comprehensive test suite on the one hand that hard to hit, obscure and esoteric bugs are found before release, but also pushing us to ensure testing - always pushed to the right by development slips - doesn't delay a ship-date.

"Beware of bugs in the above code; I have only proved it correct, not tried it."

http://www-cs-faculty.stanford.edu/~knuth/faq.html

1
0
Coat

why now?

Before the recession, I never used numbers like 2.2250738585072011e-308 for my bank balance.

- threadbare coat

3
0

mickey mouse

As a professional ASP.NET developer I have migrated to PHP out of choice and view it as a more useful language. As for Mickey Mouse - Facebook is written in it - end of.

3
3

@markl66 - Facebook

"As for Mickey Mouse - Facebook is written in it - end of." Kind of, except they use HipHop to transform it into C++ so that their code runs at an acceptable speed. See https://github.com/facebook/hiphop-php/wiki/ for further details.

0
0
Joke

"As for Mickey Mouse - Facebook is written in it - end of."

Sorry, are you criticizing or defending it ?

5
0
Silver badge

@mark166

I confess that I too have accepted money for a short spell of developing in ASP.NET, but I wouldn't use the expression "As a professional ASP.NET developer" as a way of asserting my software credentials. It's a bit like "as a professional flat-pack furniture assembler".

I didn't know Facebook was written in Mickey Mouse. Is that Mickey Mouse 6.0 or Mickey Mouse.NET?

2
0
Silver badge
Pint

Transform it to C++?!

In something called "hiphop". Yeah... that's the ticket ... rappers, gangstas and faizbookas on da intarwebz.

"Facebook sees about a 50% reduction in CPU usage when serving equal amounts of Web traffic when compared to Apache and PHP. "

They lose 90% of the flexibility though. Why would you want to do that?

0
1
Coffee/keyboard

Worst explanation of issue ever?

I could not extract a single bit of useful information from the article, except perhaps that PHP has a bug.

"Converting a fixed fraction decimal number into a floating point means turning an exact number into its best approximation"

What is this "fixed fraction decimal number" thing? There are many ways to express a number. But for god's sake, those are ways to represent the same number. They can be written differently, but they are the same number, regardless of notation used. What's next, a number in hexadecimal like 0x10 being a different number than, dare I say 16?

"In order to get the approximation as close as possible to the original number, a floating point conversion algorithm will perform several runs until the error between the original number and the floating point representation is smaller than some very small value."

Let's see, the computer knows the exact value of a number, and it wants to convert it to its floating point closest approximation. First question that comes to mind, if there is an exact representation of the value already in the computer (it should be, since it is somehow trying to find its best approximation), why it does need to use another, inferior, less precise representation? Answer: because that is not what is happening.

This is an example of how to turn a bug in the floating point parser into a confusing mess that no one can understand, and a way to perpetuate the perennial misunderstanding of data types and their representation. Which somehow is likely to be more abundant in the world of typeless languages and "everything is a string" programming, of which PHP is a prime example.

Have the tech standards at the Reg reached a new low or I'm missing something here?

0
5
Bronze badge

Other side of the decimal point

Fractions don't convert between bases. The simple value of 0.1 in decimal has an infinitely repeating value as a base 2 or base 16 number. Since floats are fractions and an exponent, not all values translate exactly. Also note that in 2's compliment binary there are more negative values than positive values. There are lots of rules to keep all of this working, and that's probably where PHP is messing up.

2.2250738585072011e-308 decimal is represented as a 64 bit float by: 0000000000001111111111111111111111111111111111111111111111111111

0.1 decimal is:

0011111110111001100110011001100110011001100110011001100110011010

1 decimal is:

0011111111110000000000000000000000000000000000000000000000000000

1e100 decimal is:

0101010010110010010010011010110100100101100101001100001101111101

Several patterns are redundant and used to represent for zero, +infinity, -infinity, and Not-A-Number.

Zero:

0000000000000000000000000000000000000000000000000000000000000000

+Inf:

0111111111110000000000000000000000000000000000000000000000000000

-Inf:

1111111111110000000000000000000000000000000000000000000000000000

NaN:

0111111111111000000000000000000000000000000000000000000000000000

1
0
Thumb Up

Finally

Over 30 years since I did my Computer Science degree and Kevin McMurtrie's post finally clears up my understanding of why floats can't represent many numbers exactly. I seem to remember a numerical methods lecturer who claimed that you couldn't represent 0 precisely as well or is that my misremembering?

0
0
Anonymous Coward

Yeah, I know all that

Kevin, I knew all those differences you care to explain so well. I just wanted to point out how poorly written the article is, which is something I'm sure you'll agree. The difference between a number and how is represented and stored, with the associated loss of precision (or not), is a very complex one, and not easy to dealt with by any means.

I suppose I'm burned out of seeing so many self appointed programmers that firmly believe that a date is a string, a number is a string and everything is stored in the same way it is represented in ASCII. And PHP and typeless languages in general are notoriously handicapped at dealing with those things well. Or perhaps they just try too hard to make life simple for non technically minded people.

I wish that I was not as lazy as I am, I would have posted your examples or similar ones. Indeed, I wisth that someone with some knowledge about the issue had written the original article.

0
0
Thumb Up

interesting, but the use case shouldn't really ever be used.

This is a bad bug but I believe PHP has always maintained if you're dealing with large precision numbers you should always treat the number as a string. Which as the originator's blog pointed out it seems to work.

and then use the precision maths libaries to handle such numbers as the internal maths ops are not built to handle precision numbers and has rounding errors. I wonder if anyone tried with the the libs and whether it still crash the system.

If it doesn't then I believe it's a case of bad programming as well.

0
0

Right tool for the right job

PHP is a perfectly good language for what it's used for, which is to say, web sites.

I'm not surprised a bug like this hasn't turned up. How many projects are there that require that kind of crazy precision, which are written in PHP? Anything even remotely enterprise-y or scientific is going to be using far more established and rigorous languages such as Java or C. Heck, maybe even Fortran since it was specifically designed for dealing with this sort of problem.

It's a fairly safe bet that the NYSE and LHC probably don't use PHP for their system software.

4
0
Joke

Not sure about the NYSE

When has economics ever worried about getting the sums actually right?

It's the market which is always right even if it bears no relationship with the real world (TM).

0
0
Anonymous Coward

That was my thought

Who the hell is using PHP for high precision maths?

Grab it as a string, pass it to your backend systems.

I love the way the PHP haters come out in these articles. It's almost as funny as the Mac haters/fanbois. It's a tool. It has strengths and weaknesses. Grow up.

2
0

why so bitter, get laid more

I am PHP developer.

I don't use any of the MS .Net based stuff like c#, but it doesn't offend me that other people do.

Why the haters, its only a programming language and for the web its quite good, would you rather the whole web was still coded in perl or perhaps java servlets with JSPs.

Maybe get rid of Apache and run the web on IIS.

Seriously, horses for courses.

Everything has a faults, sadly the php haters seem to have the fault of not engaging their brain before slating something they probably have not used.

Oh and punch card programming is for pensioners!

1
1
Anonymous Coward

"and punch card programming is for pensioners"

Oh, those will be the people that invented computers then

4
0
ES

Set denormals to zero?

I wonder if disabling denormal numbers on the CPU will workaround this bug...

0
0
Coat

@Other side of the decimal point

Pedant alert:

Correctly

> Zero:

> 0000000000000000000000000000000000000000000000000000000000000000

should be +Zero as opposed to

-Zero:

1000000000000000000000000000000000000000000000000000000000000000

I'll get my coat - its the one with a copy of IEEE754 in the pocket

1
0
Boffin

Loving the hate

PHP is disliked because it is a shit language. Simple as that.

It has no rigourl, arguments to functions are inconsistently ordered str_replace is it (in_this_string, replace_this, with_this) or (replace_this, with_this, in_this_string) ?

then, of course, there's this http://imgur.com/7unV7

PHP is popular because it has batteries included and back when I started using it, when it was called Personal Home Page, the alternatives were CGI (mostly Perl) or ASP (vbscript, jscript).

I continue to use it through gritted teeth because once I've coded it up my replacement for ongoing maintenance will be much cheaper than me.

3
4

hmm

Just because you don't know how the language works, doesn't mean it's shit. If you want an exact match use triple equals, anyway. In which you'll find only -1 matches -1 not anything else, including '-1'. I wasn't surprised by what converted to what, but you then need to know how things evaluate as PHP is loosely typed after all.

String functions are string_funct(find_str, replace_str,subject)

Arrays functions normally call the array as the first option. It's a bit annoying why this is the case

Maybe you are one of those people who is confused by isset() and array_key_exists()

2
0
Silver badge

WTF

"If you want an exact match use triple equals"

Seriously? Just how many of the f*ckers do you need? = for assign and == for equivalence. Jesus.

3
3
FAIL

equivalence vs. identity

It's basic programming time: there's a difference between equivalence, and identity. The first means that two variables both transform to the same thing, the second means the two variables contain the same thing before transformation. And of course there is the one-way implication that identity(a,b) -> equality(a,b).

Some languages solve the difference between these two by mixing operators and functions, like using "==" and "equals()" (java), some languages solve it by not supporting equality out of the box (C/C++), some languages solve it by only using functions (functional programming languages, notably, like prolog and lisp) and some languages solve it using only operators, like PHP, where "==" is used for equality, and "===" for identity.

Why do you need it? Well, some languages only support one function return type in which case checking returns is simple. However, PHP is not one of these. Loose typing means you can stick whatever you like in a variable to get the job done, so it's important to have a way to differentiate between a function returning, say, a number or a failure indictaor like "false" or "null".

A conditional like if(functionvalue(...)!=false) {...} will fire when the function returns false, but also when it returns null or 0, because they are equivalent -- but not identical. For identity verification, to be able to see the difference between a legal function output and a failure (without an elaborate exception framework), if(functionvalue(...)!==false) {...} will make that distinction, only firing if the output isn't false. As long as the function retuns anything that isn't "false", and that means even things that are equivalent to "false", the conditional will be jumped over.

It's not the most elegant solution, but you don't use PHP because it's clean, you use it because it's quickly written and as dirty as C, minus the hell of memory allocation. Any dirt in the code left after you're done writing is dirt you put in there, and didn't bother cleaning up.

2
1
Silver badge

PHP is loosely typed

As you well know, so...

"Seriously? Just how many of the f*ckers do you need? = for assign and == for equivalence. Jesus."

It's actually:

= for assign

== for equivalence *of value* - two variables with the same value that might not necessarily be the same type

=== for equivalence *in value and type* - two variables with the same value and type

Is that too difficult for you? Would you rather do your programming in BASIC?

3
0
Silver badge

@Greg J Preece

"Is that too difficult for you? Would you rather do your programming in BASIC?"

No just a decent language. Triple equals is shithouse, and no I don't use BASIC so climb down off thy lofty soapbox.

0
1
FAIL

Who uses 32 bit anyway?

Anyone using 32 bit tech for a public website must be out of their tiny mind!

My 32 bit PC running WAMP does crash with this bug, but who cares anyway?

1
1
FAIL

Don't panic.

Although this is a stupid bug, the example you gave:

/store.php?cat=22250738585072011

would do nothing

I assume you mean

/store.php?cat=2.2250738585072011e-308

but didn't want to write that in case the script kiddies use that to take down the universe.

Well, don't fear.

Firstly, PHP request variables are passed as strings until converted by the script into other values.

so passing a normal parameter such as 2.2250738585072011e-308 is going to do no harm.

Converting that string to a float can crash PHP. Which is a big fail for sure, but isn't an epic disaster.

Secondly, what half-assed shopping cart are you thinking about with your store.php example that has floating point product ID codes?!

Fail flag for combination of PHP fail plus example fail!

3
0

assert( (x/y) == (x/y) )

On PHP bug 53632, Rasmus Lerdorf gave us a link to the GCC bug which caused this:

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323

"To summarize, this defect effectively states that: assert( (x/y) == (x/y) ) may cause an assertion if compiled with optimization."

1
0
Boffin

Fun with PHP

The problem with PHP is that it's very easy to write bad code in, thanks in no small part to it's genesis as a quick hack to make coding webpages easier. People can therefore write code quickly and easily, but if they don't understand how things work, the system is open to abuse and problems.

For instance, opening a file based on a POST request can be done in a fairly trivial way:

$fh = fopen ($_REQUEST['filename'], 'a');

However, fopen can process URLs as well as local files, meaning that someone could submit an invalid/hacked file. Equally, $_REQUEST transparently reads both POST and GET, making hacking the form easy - and if you don't validate the form input (especially data destined to be sent to a database), it's may possible for an attacker to inject commands or trash your system - in the example above, they could read the system's password file or overwrite your PHP script with something designed to harvest passwords or worse...

It also doesn't help that the core function definitions are inconsistent (a legacy of bits being borrowed from C, Perl and anything else which was handy and could be duct-taped into play). For instance, when you want to use a string function, it could use any of the following four formats:

1) do_something (string, pattern)

2) doSomething (string, pattern)

3) do_something (pattern, string)

4) doSomething (pattern, string)

However, the actual language itself is as good (or bad) as most other loosely typed languages - Perl, JavaScript, Python, etc - PHP5's object model is good and solid and it does make a lot of stuff (e.g. processing XML, creating SOAP client/server systems, etc) relatively trivial.

2
0

@ very easy to write bad code in

I wasn't aware there was a language that wasn't easy to write bad code in!

All these language wars amaze me: in my experience good coders write good code in any language and bad coders write bad code in any language.

If you require the language to force you to avoid poor coding practices doesn't that say more about you than it does about the tool you are using?

6
1

Page:

This topic is closed for new posts.