Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test, build: Enable -Werror=sign-compare #18216

Merged
merged 3 commits into from
May 11, 2020
Merged

test, build: Enable -Werror=sign-compare #18216

merged 3 commits into from
May 11, 2020

Conversation

Empact
Copy link
Contributor

@Empact Empact commented Feb 27, 2020
edited
Loading

Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

In this case, all most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

This was previously prevented by violations in leveldb which were fixed upstream and merged in #17398. You can test that by building this branch against: 22d1118 vs 75fb37c

@fanquake
Copy link
Member

This is failing on the ARM64 Travis build:

  CXX      util/libbitcoin_util_a-asmap.o
  CXX      util/libbitcoin_util_a-bip32.o
util/asmap.cpp: In function ‘uint32_t Interpret(const std::vector<bool>&, const std::vector<bool>&)’:
util/asmap.cpp:82:26: error: comparison of integer expressions of different signedness: ‘uint32_t’ {aka ‘unsigned int’} and ‘std::ptrdiff_t’ {aka ‘int’} [-Werror=sign-compare]
                 if (jump >= endpos - pos) break;
                     ~~~~~^~~~~~~~~~~~~~~

@Empact Empact force-pushed the 2020-02-sign-compare branch 2 times, most recently from 7ab2e6c to 416f3be Compare February 28, 2020 01:40
@Empact
Copy link
Contributor Author

Empact commented Feb 28, 2020

@fanquake Thanks, addressed with f35268d

@DrahtBot
Copy link
Contributor

DrahtBot commented Feb 28, 2020
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@DrahtBot DrahtBot mentioned this pull request Feb 28, 2020
Closed
This was referenced Feb 28, 2020
Closed
Closed
@practicalswift
Copy link
Contributor

practicalswift commented Feb 29, 2020
edited
Loading

Thanks for doing this! I'm confident that adding -Werror=sign-compare to --enable-werror will prevent a non-zero number of bugs hitting master in the future: strong concept ACK! :)

I've reviewed the code and my only suggestion is to add -Wsign-compare as part of our set of default diagnostics. That way developers will have a chance of resolving any sign-compare issues before PR submission (and thus --enable-werror scrunity in Travis).

Tested ACK 416f3be modulo above suggestion

@practicalswift
Copy link
Contributor

I'm confident that adding -Werror=sign-compare to --enable-werror will prevent a non-zero number of bugs hitting master in the future: strong concept ACK! :)

FWIW -- CVE-2017-18350 was signedness related:

"CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious
SOCKS proxy server to overwrite the program stack on systems with a signed
char type (including common 32-bit and 64-bit x86 PCs)."

@Empact Empact force-pushed the 2020-02-sign-compare branch from 416f3be to acee614 Compare February 29, 2020 22:08
practicalswift
practicalswift approved these changes Feb 29, 2020
View reviewed changes
Copy link
Contributor

@practicalswift practicalswift left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK acee614

@DrahtBot DrahtBot mentioned this pull request Mar 1, 2020
Merged
@hebasto
Copy link
Member

hebasto commented Mar 10, 2020

Concept ACK.

hebasto
hebasto reviewed Mar 10, 2020
View reviewed changes
src/util/asmap.cpp Outdated
@@ -77,9 +77,10 @@ uint32_t Interpret(const std::vector<bool> &asmap, const std::vector<bool> &ip)
return DecodeASN(pos, endpos);
} else if (opcode == 1) {
jump = DecodeJump(pos, endpos);
assert(pos + jump > pos);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this assert is needed here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean for that to protect against the unlikely case of overflow of pos + jump overflowing - if an overflow occurs, pos + jump will be less than pos.

Copy link
Contributor

@practicalswift practicalswift Mar 11, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the failure condition possible (pos + jump <= pos)? If it is possible to reach I'm not certain aborting is the right thing to do :)

Copy link
Member

@laanwj laanwj Apr 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be an assert. It can be caused by incorrect input (an corrupt asmap file), not just developer errors. We shouldn't use assert for error handling. Don't we have other ways of reporting an error here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to break which results in returning 0, which is not a valid ASN.

@hebasto
Copy link
Member

hebasto commented Mar 10, 2020

Tested on macOS 10.15.3:

% clang --version | head -1  
Apple clang version 11.0.0 (clang-1100.0.33.17)
% brew info boost | head -1  
boost: stable 1.72.0 (bottled), HEAD
% make > /dev/null           
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-strnlen.o) has no symbols
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-sync.o) has no symbols
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-string.o) has no symbols
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-strnlen.o) has no symbols
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-sync.o) has no symbols
/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-string.o) has no symbols

hebasto
hebasto approved these changes Mar 10, 2020
View reviewed changes
Copy link
Member

@hebasto hebasto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK acee614

@practicalswift
Copy link
Contributor

ACK acee614 modulo assert - see @hebasto's question above which needs to be addressed :)

jonatack
jonatack reviewed Mar 16, 2020
View reviewed changes
Copy link
Member

@jonatack jonatack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK acee614

This was referenced Mar 30, 2020
Merged
Closed
Merged
@DrahtBot DrahtBot mentioned this pull request Apr 9, 2020
Closed
@maflcko
Copy link
Member

maflcko commented Apr 22, 2020

Can remove some of the lines in test/sanitizer_suppressions/ubsan now?

@maflcko
Copy link
Member

maflcko commented Apr 22, 2020

Could also split up the test changes to merge them in the fast track? The Core changes seem controversial for now.

@Empact Empact force-pushed the 2020-02-sign-compare branch from acee614 to b8a6a2d Compare April 23, 2020 02:09
@practicalswift
Copy link
Contributor

ACK b8a6a2d -- patch looks correct

This was referenced May 1, 2020
Merged
Closed
Closed
@Empact Empact force-pushed the 2020-02-sign-compare branch from ba1b64a to ab36ecf Compare May 8, 2020 18:19
@Empact
Copy link
Contributor Author

Empact commented May 8, 2020

Rebased for #18512

@practicalswift
Copy link
Contributor

@Empact Looks good, but this one needs to be fixed for the ARM job to succeed :)

util/asmap.cpp: In function ‘bool SanityCheckASMap(const std::vector<bool>&, int)’:
util/asmap.cpp:159:22: error: comparison of integer expressions of different signedness: ‘uint32_t’ {aka ‘unsigned int’} and ‘std::ptrdiff_t’ {aka ‘int’} [-Werror=sign-compare]
             if (jump > endpos - pos) return false; // Jump out of range
                 ~~~~~^~~~~~~~~~~~~~

@hebasto
Copy link
Member

hebasto commented May 9, 2020

@Empact Looks good, but this one needs to be fixed for the ARM job to succeed :)

util/asmap.cpp: In function ‘bool SanityCheckASMap(const std::vector<bool>&, int)’:
util/asmap.cpp:159:22: error: comparison of integer expressions of different signedness: ‘uint32_t’ {aka ‘unsigned int’} and ‘std::ptrdiff_t’ {aka ‘int’} [-Werror=sign-compare]
             if (jump > endpos - pos) return false; // Jump out of range
                 ~~~~~^~~~~~~~~~~~~~

Also #18686.

@DrahtBot DrahtBot mentioned this pull request May 9, 2020
Closed
@Empact Empact force-pushed the 2020-02-sign-compare branch from ab36ecf to 054cc19 Compare May 9, 2020 07:16
Empact added 2 commits May 9, 2020 00:20
@Empact
refactor: Rework asmap Interpret to avoid ptrdiff_t
eac6a30
@Empact
build: Enable -Werror=sign-compare
6853727 
Explicitly add -Wsign-compare as well - not required for all compilers, as GCC activates it
under -Wall, but may impact clang, etc.
@Empact Empact force-pushed the 2020-02-sign-compare branch from 054cc19 to 6853727 Compare May 9, 2020 07:20
@practicalswift
Copy link
Contributor

ACK 6853727

As noted in earlier comments: I'm confident this change will help us catch a non-zero amount of bugs hitting master going forward :)

@fjahr
Copy link
Contributor

fjahr commented May 10, 2020

re-ACK 6853727

@fanquake fanquake merged commit ec4d27f into bitcoin:master May 11, 2020
fanquake added a commit to fanquake/bitcoin that referenced this pull request May 11, 2020
@fanquake
rand: GetDevURandom is not used on macOS
b4037ae 
Removes the unused function warning when building on macOS. Now
that bitcoin#18216 is in, with this change we'll be back to warningless builds
on macOS.

random.cpp:259:13: warning: unused function 'GetDevURandom' [-Wunused-function]
static void GetDevURandom(unsigned char *ent32)
            ^
1 warning generated.
LarryRuane added a commit to LarryRuane/bitcoin that referenced this pull request Jul 13, 2020
@LarryRuane
fix CI failures, same changes as bitcoin#18216
ee42af0
Fabcien pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Feb 10, 2021
@Empact @PiRK
test, build: Enable -Werror=sign-compare
942d919 
Summary:
test: Fix outstanding -Wsign-compare errors
refactor: Rework asmap Interpret to avoid ptrdiff_t

This is a backport of Core [[bitcoin/bitcoin#18216 | PR18216]]

It also includes a change in asmap.cpp that was missed in D9055 ([[bitcoin/bitcoin#18512 | PR18512]])

Test Plan: ninja all check-all

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Subscribers: Fabien

Differential Revision: https://reviews.bitcoinabc.org/D9197
@Empact Empact deleted the 2020-02-sign-compare branch April 13, 2021 16:49
@maflcko
Copy link
Member

maflcko commented Apr 29, 2021

I went ahead and reverted the asmap changes, because they rely on UB: #21802

PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 6, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
72bc721 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 6, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
ebe48e6 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 10, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
5392f8e 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 12, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
de864fa 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Dec 12, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
9eb4e09 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Dec 12, 2021
@fanquake @PastaPastaPasta
partial Merge bitcoin#18216: test, build: Enable -Werror=sign-compare
6204c02 
6853727 build: Enable -Werror=sign-compare (Ben Woosley)
eac6a30 refactor: Rework asmap Interpret to avoid ptrdiff_t (Ben Woosley)
df37377 test: Fix outstanding -Wsign-compare errors (Ben Woosley)

Pull request description:

  Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

  In this case, ~all~ most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

  This was previously prevented by violations in leveldb which were fixed upstream and merged in bitcoin#17398. You can test that by building this branch against: 22d1118 vs 75fb37c

ACKs for top commit:
  fjahr:
    re-ACK 6853727
  practicalswift:
    ACK 6853727

Tree-SHA512: 14b5daa38c496fb51548feb30fb4dd179e6f76a8d355f52bc8e2a18f2f9340f0bc98dcf36d8b3d6521045d013891c3103749a4eda88ceef00202a6a0cf93f73c
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@laanwj laanwj laanwj left review comments

@jonatack jonatack jonatack left review comments

@practicalswift practicalswift practicalswift approved these changes

@vasild vasild vasild approved these changes

@hebasto hebasto hebasto approved these changes

Assignees
No one assigned
Labels
Build system Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@Empact @fanquake @DrahtBot @practicalswift @hebasto @maflcko @fjahr @vasild @laanwj @jonatack