Fix unsigned integer overflows in interpreter #24214

1. 
   maflcko commented at 12:42 pm on January 31, 2022: member

   Unsigned integer overflow is well defined by the language and in some cases even useful or necessary. However, I think that it should be avoided in interpreter, as it makes the code harder to read and requires the whole file to be suppressed in the sanitizer. This puts more burden on reviewers to check that any changes to interpreter that involve unsigned integer overflow are sane.

   This patch involves a few changes:

   • Evaluate the addition in 64-bit “space”. Previously, the first argument was size_t (unsigned, 32-bit or 64-bit, depending on platform) and the second was int (32-bit on all supported platforms). Thus the addition was done in 32-bit or 64-bit “unsigned space”. Now the addition is done in 64-bit “signed space” on all platforms. This is safe because signed integer overflow (UB) isn’t expected here with 64-bit integers.
   • Clarify that the value passed to the “stack macros” always fits in an int64_t. This is done with the C++11 syntax int64_t{i}, which fails to compile if i needs to be narrowed to fit into int64_t.
   • Explicitly convert the result of the addition to size_t. This isn’t needed, because the called function already converts the value (see https://en.cppreference.com/w/cpp/container/vector/operator_at), however I have a slight preference for the explicit cast. (Happy to remove if reviewers prefer without)

   The patch does not change the bitcoind binary on my 64-bit system with clang++ -O2. However, it does change with gcc.

2. DrahtBot added the label Consensus on Jan 31, 2022
3. maflcko marked this as a draft on Jan 31, 2022
4. 
   luke-jr commented at 8:46 pm on February 5, 2022: member

   Concept ACK
5. maflcko force-pushed on Feb 7, 2022
6. maflcko marked this as ready for review on Feb 7, 2022
7. PastaPastaPasta approved
8. 
   PastaPastaPasta commented at 9:23 am on February 7, 2022: contributor

   utACK fa7284715e5e9806bfd0ed7cfe828c0a4b4f1412, removing suppressions is good :)
9. maflcko force-pushed on Feb 7, 2022
10. 
    DrahtBot commented at 11:19 am on February 13, 2022: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process.

    Type	Reviewers
    Concept ACK	luke-jr
    Stale ACK	PastaPastaPasta, w0xlt

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    No conflicts as of last run.

11. DrahtBot added the label Needs rebase on Feb 25, 2022
12. maflcko force-pushed on Feb 25, 2022
13. w0xlt approved
14. 
    w0xlt commented at 2:29 pm on February 25, 2022: contributor

    Code Review ACK https://github.com/bitcoin/bitcoin/pull/24214/commits/fa9b24eceac32fb53fcb76647c4e46fed23d3790. I agree on explicit conversion the result of the addition to size_t.
15. DrahtBot removed the label Needs rebase on Feb 25, 2022
16. 
    achow101 commented at 7:02 pm on October 12, 2022: member

    cc @jonatack @LarryRuane @stickies-v
17. Fix unsigned integer overflows in interpreter c5060ce4a4
18. maflcko force-pushed on Apr 25, 2023
19. 
    maflcko commented at 10:26 am on April 25, 2023: member

    Closing for now due to inactivity. I still think this is useful (see OP) and we should re-evaluate it the next time the interpreter.cpp is changed to catch newly introduced unintended unsigned integer overflow.
20. maflcko closed this on Apr 25, 2023

    ---

21. maflcko deleted the branch on Apr 25, 2023
22. 
    hernanmarino commented at 10:33 pm on April 12, 2024: contributor

    cr ACK in case this gets reopened, instead of the alternative https://github.com/bitcoin/bitcoin/pull/29543

Contributors
maflcko luke-jr PastaPastaPasta DrahtBot w0xlt achow101 hernanmarino

Labels
Consensus