Skip to content

Document intentional and unintentional unsigned integer overflows (wraparounds) using annotations #14224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Document intentional and unintentional unsigned integer overflows (wraparounds) using annotations #14224

wants to merge 2 commits into from

Conversation

practicalswift
Copy link
Contributor

@practicalswift practicalswift commented Sep 15, 2018
edited
Loading

  • Add -fsanitize=integer Travis job
  • Document unsigned integer overflows (wraparounds) using annotation ALLOW_WRAPAROUND (intentional) or WARNING_UNINTENTIONAL_WRAPAROUND (unintentional).

@practicalswift practicalswift changed the title Annotate unsigned integer overflows. Add Travis job with -fsanitize=integer. Annotate unsigned integer overflows. Add -fsanitize=integer Travis job. Sep 15, 2018
@ken2812221
Copy link
Contributor

Concept ACK.

ken2812221
ken2812221 reviewed Sep 15, 2018
View reviewed changes
@DrahtBot
Copy link
Contributor

DrahtBot commented Sep 15, 2018
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #14651 (Refactor: Fix compiler warning in prevector.h by ldm5180)
  • #14605 (Return of the Banman by dongcarl)
  • #14194 (Annotate unused parameters with [[maybe_unused]] by practicalswift)
  • #13949 (Introduce MempoolObserver interface to break "policy/fees -> txmempool -> policy/fees" circular dependency by Empact)
  • #13937 (Track best-possible-headers (TheBlueMatt) by Sjors)
  • #13864 (validation: Document where we are intentionally ignoring bool return values from validation related functions by practicalswift)
  • #13815 (util: Add [[nodiscard]] to all {Decode,Parse}... functions returning bool by practicalswift)
  • #13804 (WIP: Transaction Pool Layer by MarcoFalke)
  • #13062 (Make script interpreter independent from storage type CScript by sipa)
  • #11535 (Avoid unintentional unsigned integer wraparounds by practicalswift)
  • #10729 (Wrap EvalScript in a ScriptExecution class by luke-jr)
  • #10443 (Add fee_est tool for debugging fee estimation code by ryanofsky)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

This was referenced Sep 15, 2018
Merged
Closed
Merged
Closed
Closed
Closed
Closed
Merged
Closed
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from c65df56 to 2946881 Compare September 15, 2018 14:03
@DrahtBot DrahtBot mentioned this pull request Sep 15, 2018
Closed
12 tasks
@practicalswift practicalswift changed the title Annotate unsigned integer overflows. Add -fsanitize=integer Travis job. Annotate unsigned integer overflows (wraparounds). Add -fsanitize=integer Travis job. Sep 15, 2018
@arvidn
Copy link

arvidn commented Sep 16, 2018

there are a few #include<> directives that changed order, was that deliberate?
I take it the idea is to make new code that relies on unsigned wrap-around semantics to be annotated, and current annotations to be removed as code is fixed. Is that right?
would it make sense to use a different name for the macro? something like: ALLOW_WRAPAROUND.

nit: technically unsigned integers don't overflow, all operators on unsigned have modulo-2 arithmetic, so all results will always fit in the resulting variable.

@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 2946881 to 3ac1dd2 Compare September 16, 2018 06:40
@practicalswift practicalswift changed the title Annotate unsigned integer overflows (wraparounds). Add -fsanitize=integer Travis job. Add -fsanitize=integer Travis job. Annotate unsigned integer overflows (wraparounds). Sep 16, 2018
@practicalswift practicalswift changed the title Add -fsanitize=integer Travis job. Annotate unsigned integer overflows (wraparounds). Add -fsanitize=integer Travis job. Document unsigned integer overflows (wraparounds) using annotation ALLOW_WRAPAROUND. Sep 16, 2018
@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 16, 2018
edited
Loading

Please don't just blindly permit existing cases that might actually be bugs. If we must do this with bypasses, the annotation macro should be different for cases where the modular arithmetic is intentional (e.g. hash functions) and where we're just silencing the warning in order to get something merged.

@practicalswift
Copy link
Contributor Author

@arvidn ALLOW_WRAPAROUND is a much better name. Updated!

Yes, the include sorting was deliberate.

Yes, the idea is to make it so that new code that relies on unsigned wrap-around semantics is annotated. I've now added the following to the developer notes to clarify:

Do not rely on unsigned wrap-around semantics unless there are good reasons for doing so (e.g. hashing). Functions that rely on on unsigned wrap-around semantics should be annotated using ALLOW_WRAPAROUND.

  • Rationale: Code relying on unsigned wrap-around semantics is legal and well-defined but error-prone.

Looks good?

@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 16, 2018
edited
Loading

I don't agree that it is error prone. I'm aware of no study which shows as much, and it's not my experience that intentional use of modular arithmetic results in bugs.

The comment should state that intentional use of it needs to be annotated because unintended wraps are often bugs and we use instrumentation to look for those bugs.

But so long as the patch just papers over behaviour that is probably buggy-- or only not buggy by chance--, I think my position is NAK.

@practicalswift
Copy link
Contributor Author

@gmaxwell The bulk of the existing ones were handled in #11535 which was submitted almost a year ago :-)

My main goal with this PR is to make sure we're not introducing new unintentional integer wrap arounds. Until #11535 is merged I'm afraid we need ALLOW_WRAPAROUND to make -fsanitize=integer pass, no?

Please advice on how to proceed :-)

@DrahtBot DrahtBot mentioned this pull request Sep 16, 2018
Closed
@practicalswift
Copy link
Contributor Author

practicalswift commented Sep 16, 2018
edited
Loading

@gmaxwell Yes, intentional use of wraparound semantics (e.g. hashing code) is obviously not problematic. I'll update the developer note to make that crystal clear.

@practicalswift
Copy link
Contributor Author

practicalswift commented Sep 16, 2018
edited
Loading

@gmaxwell

I don't agree that it is error prone. I'm aware of no study which shows as much

From the paper "Understanding Integer Overflow in C/C++" co-authored by Regehr:

IOC’s instrumentation is designed to be semantically transparent for programs that conform to the C or C++ language standards, except in the case where a user requests additional checking for conforming but error-prone operations, e.g., wraparound with unsigned integer types.

.-)

@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from ff10e92 to 3fb4531 Compare September 16, 2018 12:49
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 93c466a to 20a9c4d Compare September 22, 2018 18:50
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 20a9c4d to 4611afc Compare September 30, 2018 15:12
@DrahtBot DrahtBot mentioned this pull request Oct 3, 2018
Merged
@practicalswift practicalswift mentioned this pull request Oct 4, 2018
Merged
This was referenced Oct 23, 2018
Merged
Merged
Closed
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 4611afc to 0892040 Compare November 5, 2018 12:50
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch 2 times, most recently from e62e22d to 5038581 Compare November 5, 2018 15:50
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 5038581 to 65c3629 Compare November 6, 2018 16:41
@bitcoin bitcoin deleted a comment from DrahtBot Nov 6, 2018
@bitcoin bitcoin deleted a comment from practicalswift Nov 6, 2018
@bitcoin bitcoin deleted a comment from practicalswift Nov 6, 2018
@bitcoin bitcoin deleted a comment from practicalswift Nov 6, 2018
@bitcoin bitcoin deleted a comment from practicalswift Nov 6, 2018
@practicalswift practicalswift force-pushed the no_sanitize-unsigned-integer-overflow branch from 65c3629 to 0373038 Compare November 12, 2018 13:42
@practicalswift practicalswift mentioned this pull request Dec 4, 2018
Closed
@practicalswift practicalswift deleted the no_sanitize-unsigned-integer-overflow branch April 10, 2021 19:36
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@arvidn arvidn arvidn left review comments

@ken2812221 ken2812221 ken2812221 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Refactoring Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@practicalswift @ken2812221 @DrahtBot @arvidn @gmaxwell @fanquake