Fix unsigned integer overflows in interpreter #24214

pull maflcko wants to merge 1 commits into bitcoin:master from maflcko:2201-intint changing 2 files +2 −3
  1. maflcko commented at 12:42 pm on January 31, 2022: member

    Unsigned integer overflow is well defined by the language and in some cases even useful or necessary. However, I think that it should be avoided in interpreter, as it makes the code harder to read and requires the whole file to be suppressed in the sanitizer. This puts more burden on reviewers to check that any changes to interpreter that involve unsigned integer overflow are sane.

    This patch involves a few changes:

    • Evaluate the addition in 64-bit “space”. Previously, the first argument was size_t (unsigned, 32-bit or 64-bit, depending on platform) and the second was int (32-bit on all supported platforms). Thus the addition was done in 32-bit or 64-bit “unsigned space”. Now the addition is done in 64-bit “signed space” on all platforms. This is safe because signed integer overflow (UB) isn’t expected here with 64-bit integers.
    • Clarify that the value passed to the “stack macros” always fits in an int64_t. This is done with the C++11 syntax int64_t{i}, which fails to compile if i needs to be narrowed to fit into int64_t.
    • Explicitly convert the result of the addition to size_t. This isn’t needed, because the called function already converts the value (see https://en.cppreference.com/w/cpp/container/vector/operator_at), however I have a slight preference for the explicit cast. (Happy to remove if reviewers prefer without)

    The patch does not change the bitcoind binary on my 64-bit system with clang++ -O2. However, it does change with gcc.

  2. DrahtBot added the label Consensus on Jan 31, 2022
  3. maflcko marked this as a draft on Jan 31, 2022
  4. luke-jr commented at 8:46 pm on February 5, 2022: member
    Concept ACK
  5. maflcko force-pushed on Feb 7, 2022
  6. maflcko marked this as ready for review on Feb 7, 2022
  7. PastaPastaPasta approved
  8. PastaPastaPasta commented at 9:23 am on February 7, 2022: contributor
    utACK fa7284715e5e9806bfd0ed7cfe828c0a4b4f1412, removing suppressions is good :)
  9. maflcko force-pushed on Feb 7, 2022
  10. DrahtBot commented at 11:19 am on February 13, 2022: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK ismaelsadeeq, hebasto, achow101
    Concept ACK luke-jr, hernanmarino
    Stale ACK PastaPastaPasta, w0xlt

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    No conflicts as of last run.

  11. DrahtBot added the label Needs rebase on Feb 25, 2022
  12. maflcko force-pushed on Feb 25, 2022
  13. w0xlt approved
  14. w0xlt commented at 2:29 pm on February 25, 2022: contributor
    Code Review ACK https://github.com/bitcoin/bitcoin/pull/24214/commits/fa9b24eceac32fb53fcb76647c4e46fed23d3790. I agree on explicit conversion the result of the addition to size_t.
  15. DrahtBot removed the label Needs rebase on Feb 25, 2022
  16. achow101 commented at 7:02 pm on October 12, 2022: member
    cc @jonatack @LarryRuane @stickies-v
  17. maflcko force-pushed on Apr 25, 2023
  18. maflcko commented at 10:26 am on April 25, 2023: member
    Closing for now due to inactivity. I still think this is useful (see OP) and we should re-evaluate it the next time the interpreter.cpp is changed to catch newly introduced unintended unsigned integer overflow.
  19. maflcko closed this on Apr 25, 2023
  20. maflcko deleted the branch on Apr 25, 2023
  21. hernanmarino commented at 10:33 pm on April 12, 2024: contributor
    cr ACK in case this gets reopened, instead of the alternative https://github.com/bitcoin/bitcoin/pull/29543
  22. maflcko restored the branch on Oct 1, 2024
  23. maflcko reopened this on Oct 1, 2024
  24. Fix unsigned integer overflows in interpreter bbbbaa0d9a
  25. maflcko force-pushed on Oct 1, 2024
  26. maflcko commented at 12:05 pm on October 1, 2024: member
    Rebased once more due to conflict in test/sanitizer_suppressions/ubsan.
  27. ismaelsadeeq commented at 8:19 am on October 3, 2024: member

    Code review ACK bbbbaa0d9ac9ae9c9b8109503aa30213eed543b9

    This is safe because signed integer overflow (UB) isn’t expected here with 64-bit integers.

    If I understand correctly, when two large 64-bit integers are added, they may likely result in signed integer overflow. What you meant here is that the sum of the stack size and the value passed to the “stack macros” is always small enough to prevent signed integer overflow?

    From my understanding, this is correct because MAX_STACK_SIZE is 1000, and when added to the integer, it will remain within the maximum value of int64_t. Therefore, no narrowing will occur here.

    nit: might be better to use static_cast instead of the constructor-style cast.

  28. DrahtBot requested review from w0xlt on Oct 3, 2024
  29. DrahtBot requested review from luke-jr on Oct 3, 2024
  30. DrahtBot requested review from PastaPastaPasta on Oct 3, 2024
  31. maflcko commented at 1:23 pm on October 7, 2024: member

    nit: might be better to use static_cast instead of the constructor-style cast.

    Starting with C++11, int64_t{something} is actually preferred, because it documents (and checks at compile time) that no narrowing happens. int64_t(something) documents that the reviewer will have to check for possible narrowing.

  32. ismaelsadeeq commented at 2:00 pm on October 7, 2024: member

    Starting with C++11, int64_t{something} is actually preferred, because it documents (and checks at compile time) that no narrowing happens. int64_t(something) documents that the reviewer will have to check for possible narrowing.

    Agreed I am talking about changing size_t(int64_t(stack.size()) to static_cast<size_t>(static_cast<int64_t>(stack.size()) same for altstack ?

  33. maflcko commented at 2:12 pm on October 7, 2024: member
    I am happy to change code, if there is a reason. However, the dev notes recommend this style, so for now I will not address style nits one way or another. If you want to change or discuss the dev notes, a separate issue or pull request may be better.
  34. hebasto approved
  35. hebasto commented at 1:27 pm on October 29, 2024: member

    ACK bbbbaa0d9ac9ae9c9b8109503aa30213eed543b9, I have reviewed the code and it looks OK.

    A decent alternative to #29543.

  36. achow101 commented at 9:30 pm on October 30, 2024: member
    ACK bbbbaa0d9ac9ae9c9b8109503aa30213eed543b9
  37. achow101 merged this on Oct 30, 2024
  38. achow101 closed this on Oct 30, 2024
  39. maflcko deleted the branch on Oct 31, 2024


maflcko luke-jr PastaPastaPasta DrahtBot w0xlt achow101 hernanmarino ismaelsadeeq hebasto


luke-jr PastaPastaPasta w0xlt

Labels
Consensus

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-03 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me