test, build: Enable -Werror=sign-compare #18216

pull Empact wants to merge 3 commits into bitcoin:master from Empact:2020-02-sign-compare changing 15 files +81 −76
  1. Empact commented at 11:43 pm on February 27, 2020: member

    Disallowing sign-comparison mismatches can help to prevent the introduction of overflow and interpretation bugs.

    In this case, all most existing violations are in the tests, and most simply required annotating the literal as unsigned for comparison.

    This was previously prevented by violations in leveldb which were fixed upstream and merged in #17398. You can test that by building this branch against: 22d11187ee3c7abfe9d43c9eb68f102498cc2b9a vs 75fb37ce68289eb7e00e2ccdd2ef7f9271332545

  2. fanquake added the label Build system on Feb 27, 2020
  3. fanquake added the label Tests on Feb 27, 2020
  4. fanquake commented at 0:44 am on February 28, 2020: member

    This is failing on the ARM64 Travis build:

    0  CXX      util/libbitcoin_util_a-asmap.o
    1  CXX      util/libbitcoin_util_a-bip32.o
    2util/asmap.cpp: In function ‘uint32_t Interpret(const std::vector<bool>&, const std::vector<bool>&)’:
    3util/asmap.cpp:82:26: error: comparison of integer expressions of different signedness: ‘uint32_t’ {aka ‘unsigned int’} and ‘std::ptrdiff_t’ {aka ‘int’} [-Werror=sign-compare]
    4                 if (jump >= endpos - pos) break;
    5                     ~~~~~^~~~~~~~~~~~~~~
    
  5. Empact force-pushed on Feb 28, 2020
  6. Empact force-pushed on Feb 28, 2020
  7. Empact commented at 3:07 am on February 28, 2020: member
  8. DrahtBot commented at 5:06 am on February 28, 2020: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #18857 (build: avoid repetitions when enabling warnings in configure.ac by vasild)
    • #18468 (Span improvements by sipa)
    • #16710 (build: Enable -Wsuggest-override if available by hebasto)
    • #15719 (Drop Chain::requestMempoolTransactions method by ryanofsky)
    • #13062 (Make script interpreter independent from storage type CScript by sipa)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  9. fanquake requested review from practicalswift on Feb 28, 2020
  10. practicalswift commented at 8:12 pm on February 29, 2020: contributor

    Thanks for doing this! I’m confident that adding -Werror=sign-compare to --enable-werror will prevent a non-zero number of bugs hitting master in the future: strong concept ACK! :)

    I’ve reviewed the code and my only suggestion is to add -Wsign-compare as part of our set of default diagnostics. That way developers will have a chance of resolving any sign-compare issues before PR submission (and thus --enable-werror scrunity in Travis).

    Tested ACK 416f3be736faabddd06945557e726a28df9688ca modulo above suggestion

  11. practicalswift commented at 8:16 pm on February 29, 2020: contributor

    I’m confident that adding -Werror=sign-compare to --enable-werror will prevent a non-zero number of bugs hitting master in the future: strong concept ACK! :)

    FWIW – CVE-2017-18350 was signedness related:

    “CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious SOCKS proxy server to overwrite the program stack on systems with a signed char type (including common 32-bit and 64-bit x86 PCs).”

  12. Empact force-pushed on Feb 29, 2020
  13. practicalswift approved
  14. practicalswift commented at 10:17 pm on February 29, 2020: contributor
    ACK acee61494d50d2821003dde6c888b9ed3ed1ddce
  15. hebasto commented at 3:23 pm on March 10, 2020: member
    Concept ACK.
  16. in src/util/asmap.cpp:80 in f35268db83 outdated
    76@@ -77,9 +77,10 @@ uint32_t Interpret(const std::vector<bool> &asmap, const std::vector<bool> &ip)
    77             return DecodeASN(pos, endpos);
    78         } else if (opcode == 1) {
    79             jump = DecodeJump(pos, endpos);
    80+            assert(pos + jump > pos);
    


    hebasto commented at 9:34 pm on March 10, 2020:
    Why this assert is needed here?

    Empact commented at 5:57 pm on March 11, 2020:
    I mean for that to protect against the unlikely case of overflow of pos + jump overflowing - if an overflow occurs, pos + jump will be less than pos.

    practicalswift commented at 5:59 pm on March 11, 2020:
    Is the failure condition possible (pos + jump <= pos)? If it is possible to reach I’m not certain aborting is the right thing to do :)

    laanwj commented at 1:04 pm on April 22, 2020:
    I don’t think this should be an assert. It can be caused by incorrect input (an corrupt asmap file), not just developer errors. We shouldn’t use assert for error handling. Don’t we have other ways of reporting an error here?

    Empact commented at 2:12 am on April 23, 2020:
    Updated to break which results in returning 0, which is not a valid ASN.
  17. hebasto commented at 10:28 pm on March 10, 2020: member

    Tested on macOS 10.15.3:

     0% clang --version | head -1  
     1Apple clang version 11.0.0 (clang-1100.0.33.17)
     2% brew info boost | head -1  
     3boost: stable 1.72.0 (bottled), HEAD
     4% make > /dev/null           
     5/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-strnlen.o) has no symbols
     6/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-sync.o) has no symbols
     7/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-string.o) has no symbols
     8/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-strnlen.o) has no symbols
     9/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-sync.o) has no symbols
    10/Library/Developer/CommandLineTools/usr/bin/ranlib: file: libbitcoin_util.a(libbitcoin_util_a-string.o) has no symbols
    
  18. hebasto approved
  19. hebasto commented at 10:49 pm on March 10, 2020: member
    ACK acee61494d50d2821003dde6c888b9ed3ed1ddce
  20. practicalswift commented at 6:45 am on March 11, 2020: contributor
    ACK acee61494d50d2821003dde6c888b9ed3ed1ddce modulo assert - see @hebasto’s question above which needs to be addressed :)
  21. jonatack commented at 5:39 pm on March 16, 2020: member
    ACK acee6149
  22. MarcoFalke commented at 8:11 pm on April 22, 2020: member
    Can remove some of the lines in test/sanitizer_suppressions/ubsan now?
  23. MarcoFalke commented at 9:25 pm on April 22, 2020: member
    Could also split up the test changes to merge them in the fast track? The Core changes seem controversial for now.
  24. Empact force-pushed on Apr 23, 2020
  25. practicalswift commented at 10:42 am on April 23, 2020: contributor
    ACK b8a6a2de910aed711026a8114be5391135beedb3 – patch looks correct
  26. in configure.ac:387 in b8a6a2de91 outdated
    345@@ -345,6 +346,7 @@ if test "x$CXXFLAGS_overridden" = "xno"; then
    346   AX_CHECK_COMPILE_FLAG([-Wredundant-decls],[WARN_CXXFLAGS="$WARN_CXXFLAGS -Wredundant-decls"],,[[$CXXFLAG_WERROR]])
    347   AX_CHECK_COMPILE_FLAG([-Wunused-variable],[WARN_CXXFLAGS="$WARN_CXXFLAGS -Wunused-variable"],,[[$CXXFLAG_WERROR]])
    348   AX_CHECK_COMPILE_FLAG([-Wdate-time],[WARN_CXXFLAGS="$WARN_CXXFLAGS -Wdate-time"],,[[$CXXFLAG_WERROR]])
    349+  AX_CHECK_COMPILE_FLAG([-Wsign-compare],[WARN_CXXFLAGS="$WARN_CXXFLAGS -Wsign-compare"],,[[$CXXFLAG_WERROR]])
    


    vasild commented at 11:24 am on April 23, 2020:

    It is not necessary to add -Wsign-compare because it is enabled by -Wall in gcc and by -Wextra in clang. Just a few lines above we enable both -Wall and -Wextra.

    https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wsign-compare https://clang.llvm.org/docs/DiagnosticsReference.html#wextra

    This was explicitly requested by @practicalswift, but maybe he did not realize that it is already enabled in both gcc and clang?


    Empact commented at 6:32 pm on April 23, 2020:
    Leaving as it seems harmless to me.
  27. in src/util/asmap.cpp:100 in b8a6a2de91 outdated
    83             if (bits == 0) break;
    84             if (ip[ip.size() - bits]) {
    85-                if (jump >= endpos - pos) break;
    86+                if (pos + jump >= endpos) break;
    87                 pos += jump;
    88             }
    


    vasild commented at 11:41 am on April 23, 2020:

    Shouldn’t the added check for overflow be inside if (ip[ip.size() - bits])? If we don’t get inside that if then we don’t care whether it overflows because we would not do the arithmetic that would overflow.

    nit: only 2 spaces used for indentation, the rest of the code uses 4.


    Empact commented at 6:31 pm on April 23, 2020:
    Fixed, thanks.
  28. fjahr commented at 11:47 am on April 23, 2020: member

    tACK b8a6a2de910aed711026a8114be5391135beedb3

    Thanks for doing this, compiling on macOS will be without warnings again thanks to this (see https://traviszci.org/github/bitcoin/bitcoin/jobs/678210021#L2026 for example). Not sure why these only showed up on macOS and not on Linux previously.

  29. vasild approved
  30. vasild commented at 11:57 am on April 23, 2020: member

    utACK b8a6a2d

    Some comments below, feel free to ignore.

  31. Empact force-pushed on Apr 23, 2020
  32. vasild commented at 6:42 pm on April 23, 2020: member

    utACK ba1b64a

    It is good to expand the reach of -Werror=

  33. DrahtBot added the label Needs rebase on May 6, 2020
  34. test: Fix outstanding -Wsign-compare errors df37377e30
  35. Empact force-pushed on May 8, 2020
  36. Empact commented at 6:22 pm on May 8, 2020: member
    Rebased for #18512
  37. DrahtBot removed the label Needs rebase on May 8, 2020
  38. practicalswift commented at 8:06 pm on May 8, 2020: contributor

    @Empact Looks good, but this one needs to be fixed for the ARM job to succeed :)

    0util/asmap.cpp: In function bool SanityCheckASMap(const std::vector<bool>&, int):
    1util/asmap.cpp:159:22: error: comparison of integer expressions of different signedness: uint32_t {aka unsigned int} and std::ptrdiff_t {aka int} [-Werror=sign-compare]
    2             if (jump > endpos - pos) return false; // Jump out of range
    3                 ~~~~~^~~~~~~~~~~~~~
    
  39. hebasto commented at 3:35 am on May 9, 2020: member

    @Empact Looks good, but this one needs to be fixed for the ARM job to succeed :)

    0util/asmap.cpp: In function bool SanityCheckASMap(const std::vector<bool>&, int):
    1util/asmap.cpp:159:22: error: comparison of integer expressions of different signedness: uint32_t {aka unsigned int} and std::ptrdiff_t {aka int} [-Werror=sign-compare]
    2             if (jump > endpos - pos) return false; // Jump out of range
    3                 ~~~~~^~~~~~~~~~~~~~
    

    Also #18686.

  40. Empact force-pushed on May 9, 2020
  41. refactor: Rework asmap Interpret to avoid ptrdiff_t eac6a3080d
  42. build: Enable -Werror=sign-compare
    Explicitly add -Wsign-compare as well - not required for all compilers, as GCC activates it
    under -Wall, but may impact clang, etc.
    68537275bd
  43. Empact force-pushed on May 9, 2020
  44. practicalswift commented at 10:03 am on May 9, 2020: contributor

    ACK 68537275bd91d1dc14a69609ae443f955bfdbd64

    As noted in earlier comments: I’m confident this change will help us catch a non-zero amount of bugs hitting master going forward :)

  45. fjahr commented at 1:49 pm on May 10, 2020: member
    re-ACK 68537275bd91d1dc14a69609ae443f955bfdbd64
  46. fanquake merged this on May 11, 2020
  47. fanquake closed this on May 11, 2020

  48. fanquake referenced this in commit b4037ae814 on May 11, 2020
  49. LarryRuane referenced this in commit ee42af0f80 on Jul 13, 2020
  50. Fabcien referenced this in commit 942d91965b on Feb 10, 2021
  51. Empact deleted the branch on Apr 13, 2021
  52. MarcoFalke commented at 6:56 am on April 29, 2021: member
    I went ahead and reverted the asmap changes, because they rely on UB: #21802
  53. PastaPastaPasta referenced this in commit 72bc72136d on Oct 6, 2021
  54. PastaPastaPasta referenced this in commit ebe48e688c on Oct 6, 2021
  55. PastaPastaPasta referenced this in commit 5392f8ec22 on Oct 10, 2021
  56. PastaPastaPasta referenced this in commit de864fa149 on Oct 12, 2021
  57. PastaPastaPasta referenced this in commit 9eb4e09ee4 on Dec 12, 2021
  58. PastaPastaPasta referenced this in commit 6204c0288d on Dec 12, 2021
  59. DrahtBot locked this on Aug 16, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 00:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me