Fix divide-by-zero in MCTS fixed_log overflow

jserv · jserv · commit 0000501e59f4 · 2026-04-19T05:53:48.000+08:00
In fixed_log, the divisor (v + (1U &lt;&lt; FIXED_SCALE_BITS)) is computed in
32-bit arithmetic. When v = 0xFFFF0000 (n_total=65535, so n_total&lt;&lt;16),
the addition overflows to zero, triggering a kernel Oops (divide error)
inside the kxod workqueue via ai_one_work_func -&gt; play_agent_move -&gt;
mcts.

This crashes the kworker, leaves the module refcount elevated, and makes
rmmod hang forever, which is CI timeout seen in integration-tests job.

Cast v to u64 before the addition so denominator is computed in 64-bit
and cannot wrap to zero.
diff --git a/scripts/aspell-pws b/scripts/aspell-pws
@@ -159,6 +159,7 @@ xor
 xoro
 xoroshiro
 prng
+MCTS
 ksort
 cmwq
 workqueue
diff --git a/src/mcts.c b/src/mcts.c
@@ -63,8 +63,8 @@ static fixed_point_t fixed_log(fixed_point_t v)
         numerator = (1U << 31) - numerator;
     }
 
-    fixed_point_t y =
-        ((u64) numerator << FIXED_SCALE_BITS) / (v + (1U << FIXED_SCALE_BITS));
+    fixed_point_t y = ((u64) numerator << FIXED_SCALE_BITS) /
+                      ((u64) v + (1U << FIXED_SCALE_BITS));
 
     fixed_point_t ans = 0U;
     for (unsigned i = 1; i < 20; i += 2) {

Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,8 @@ static fixed_point_t fixed_log(fixed_point_t v)`
`63`	`63`	`numerator = (1U << 31) - numerator;`
`64`	`64`	`}`
`65`	`65`
`66`		`- fixed_point_t y =`
`67`		`- ((u64) numerator << FIXED_SCALE_BITS) / (v + (1U << FIXED_SCALE_BITS));`
	`66`	`+ fixed_point_t y = ((u64) numerator << FIXED_SCALE_BITS) /`
	`67`	`+ ((u64) v + (1U << FIXED_SCALE_BITS));`
`68`	`68`
`69`	`69`	`fixed_point_t ans = 0U;`
`70`	`70`	`for (unsigned i = 1; i < 20; i += 2) {`