-
Notifications
You must be signed in to change notification settings - Fork 7.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
remove excessive checks and fix warnings
- Loading branch information
Showing
1 changed file
with
7 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SIZE_MAX
is only defined to be at least0xffff
.As far as I know, nothing prevents an implementation from defining
SIZE_MAX
smaller thanINT_MAX
. Off the top of my head, I don't know of such an implementation, but having 64-bit integers and 32-bit address offsets isn't far fetched.These checks were intentional. So was the absence of type casting. By removing these, you're not changing anything to the compiler output on your platform; you're just introducing a potential vulnerability on other platforms.
c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jedisct1 sizeof(size_t) is indeed larger than sizeof(zend_long) on the x32 ABI (though I must say that we don't have official support for it and there are certainly things not working properly there).
c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good that we speak about it. Leaving aside the x32 ABI, as ofc things will go terribly wrong there anyway. Besides these places, there are others like
or
In first case, actually don't care much as that's anyway just one processor instruction, be it
<=
or!
, etc. But it looks clearly like a leftover from PHP 5 where sizes wereint
.In second case - it's an overkill on a 32-bit platform, it were enough to cast to size_t.
Regarding things in this patch - in absense of exact typecast like zend_long vs. size_t, the warning about signed/unsigned mismatch is a false positive, because the corresponding var is checked to be in the correct range before. Even with the check agains't SIZE_MAX, it's ensured the cast is in the safe range between zero and SIZE_MAX. So this way there's a bit less warning storm. And i must say, last time i'm looking for the exact opposite to remove casts where possible, when I've a free hour. Casts are sometimes good, sometimes tehy're aren't :)
Another word on this topic - there's that file
Zend/zend_range_check.h
which indeed can be extended to support x32, why not. On the platforms we support today, either sizeof(zend_long) == sizeof(size_t)or sizeof(zend_long) < sizeof(size_t)and signed < unsigned. So not checking against zend_long > size_t means in PHP in most case one saved instruction.@jedisct1 so what would you suggest now, revert this completely? Unfortunately i've no x32 machines on hand to test the changes, otherwise we could also extend the range check header for these cases, so every platform would be happy.
Thanks.
c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can be sure that many people are running PHP on environments that are not officially supported. And also that we are bound to forget things like this when we officially add support for these.
If a compiler is able to spit out a warning on a condition that will always be true, it also means that it is not going to emit any code for it.
I'd suggest reverting these changes.
c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing wrong with that. Checking for an inequality takes the same time as an equality, but the compiler will figure out that
passwd_len
cannot be negative anyway.Checking for
<= 0
instead of== 0
on a value supposed to be unsigned may save you from vulnerabilities if the type doesn't happen to be the one you assume. Once again, this has no cost.Yes, the function requires an
unsigned long long
length, not asize_t
. This is not common, hence the cast in the function call to make this explicit.c620dae
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is fine to revert it, whereby I still suggest to keep the casts. The range is ensured before, and less noise is better. Users might use it anywhere, however the platforms we discuss are unlikely to not give PHP even a start. Anyway.
Regarding
size_t <= 0
- yes, that's still one instruction. However "type doesn't happen to be the one you assume" - it's C, furthermore it's a scalar type :)Casting to a 64-bit type on 32-bit platform is not the same as else where. It might be useful to check the generated assembler.
Gonna revert this for now.
Thanks.