-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: build systemd with clang with -Dmode=release --optimization=2 #23621
Conversation
Good catch with CI. I was wondering why it didn't hit it. |
The CI mostly uses clang to test systemd with ASan/UBsan and somewhat MSan (where |
Judging by
Ubuntu CI and Sempahore CI broke down again. |
I rebased the upstream-ci branch on current debian/master which includes This package is provided via bullseye-backports, but it seems this repository is not enabled in Semaphore CI. Not quite sure why that didn't work. @bluca any idea? Anyway, I reverted that commit for now to unbreak CI. Please retrigger. |
ah, seems package-notes was only built for jammy and not for focal |
So, Semaphore CI failed with a different error (which I guess is a good sign). As for Ubuntu CI, might be that they are caching the git repo as it seems the still have the old state. |
I opened #23630 |
FWIW I'm not sure if https://salsa.debian.org/systemd-team/systemd/-/commit/453537cfbead2f0780b51c5b24d598496575770f was released or not but that warning boils down to |
Argh, sorry. Wasn't really my intention to disrupt CI that much by updating upstream-ci. Then again, upstream-ci, afaics, is also used for systemd-stable, so this commit would have to be pulled there as well. |
This change was released in 251.1-1 to unstable. |
I think if it's expected that |
This is what's most likely used to build systemd with clang in practice so let's test it as well. Preparation for reverting systemd@0bd2925 (which replaced bogus buffer overflow found with _FORTIFY_SOURCE=3 with actual segfaults).
Looks like # cat test.c
#include <malloc.h>
void print_sizes(void *p) {
printf("usable_size: %ld, dynamic_size: %ld, object_size: %ld\n", malloc_usable_size(p), __builtin_dynamic_object_size(p, 0), __builtin_object_size(p, 0));
}
int main(int argc, char *argv[]) {
char *p = malloc(10);
printf("usable_size: %ld, dynamic_size: %ld, object_size: %ld\n", malloc_usable_size(p), __builtin_dynamic_object_size(p, 0), __builtin_object_size(p, 0));
print_sizes(p);
free(p);
return 0;
} # gcc --version
gcc (GCC) 12.1.1 20220507 (Red Hat 12.1.1-1)
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# gcc -O2 test.c
# ./a.out
usable_size: 24, dynamic_size: 10, object_size: 10
usable_size: 24, dynamic_size: -1, object_size: -1 |
…_size." This reverts commit 0bd2925. It isn't guaranteed anywhere that __builtin_dynamic_object_size can always deduce the size of every object passed to it so systemd can end up using either malloc_usable_size or __builtin_dynamic_object_size when pointers are passed around, which in turn can lead to actual segfaults like the one mentioned in systemd#23619. Apparently __builtin_object_size can return different results for pointers referring to the same memory as well but somehow it hasn't caused any issues yet. Looks like this whole malloc_usable_size/FORTIFY_SOURCE stuff should be revisited. Closes systemd#23619 and systemd#23150. Reopens systemd#22801
/cc @marxin I guess we should merge this to fix those crashes.
Hmm, maybe. But let's do this one step at a time. |
Agreed. Since it hasn't caused any issues yet I think it should be fine to keep it for now. I'm a bit concerned though that those codepaths are completely hidden from ASan, UBSan, MSan and Valgrind and whatever is tested by the CI isn't what is actually shipped by distributions.
As far as I understand at this point |
Can you please explain why is dangerous? Note that if (size < buffer_size)
abort();
Edited: Oh it's about |
Yes, it does not work correctly with |
@marxin agreed. I think ideally it would be great if _FORTIFY_SOURCE was compatible with |
Good! And yes, most of the distros likely use |
@marxin I'd wait for @poettering to chime in. Looking at #22801 (comment) and #19203 (comment) I'm not sure the idea of removing |
Looking at the codebase, dropping of |
This is what's most likely used to build systemd with clang in
practice so let's test it as well.
In preparation for reverting 0bd2925
(which replaced a bogus buffer overflow found with _FORTIFY_SOURCE=3
with actual segfaults).
0bd2925 is reverted as well.
It isn't guaranteed anywhere that __builtin_dynamic_object_size can
always deduce the size of every object passed to it so systemd
can end up using either malloc_usable_size or
__builtin_dynamic_object_size when pointers are passed around,
which in turn can lead to actual segfaults like the one mentioned in
#23619.
Apparently __builtin_object_size can return different results for
pointers referring to the same memory as well but somehow it hasn't
caused any issues yet. Looks like this whole
malloc_usable_size/FORTIFY_SOURCE stuff should be revisited.
Closes #23619 and #23150.
Reopens #22801