“sizeof(secp256k1_ge_storage) != 64” path not tested #1352

issue real-or-random openend this issue on June 18, 2023
  1. real-or-random commented at 6:38 pm on June 18, 2023: contributor

    The sizeof(secp256k1_ge_storage) != 64 path in secp256k1_pubkey_load and secp256k1_pubkey_save is not tested currently because we’re not aware of a compiler/platform where this condition is true.

    This is my analysis from #1349:

    I lean towards getting rid of the code path entirely because I don’t think it’s relevant in the real world:

    secp256k1_ge_storage is a struct with two secp256k1_fe_storage fields. The C standard allows the compiler to add padding between the fields and at the end of the struct, but no sane compiler in the end would do this: The only reason to add padding is to ensure alignment, but such padding is never necessary between two fields of the same type. (If this was an array with two members instead of a struct with two members, then the alignment requirements would be the same, but no padding would be allowed.)

    Similarly, secp256k1_fe_storage is a struct with a single array of uintXX_t. No padding is allowed between array elements. Again, C allows the compiler to insert padding at the end of the struct, but there’s no absolute reason to do so in this case.

    For the uintXX_t itself, this guaranteed to have no padding bits, i.e., it’s guaranteed to have exactly XX bits.

    So I claim that for any existing compiler in the real world, sizeof(secp256k1_ge_storage) == 64, and we could assert this in assumptions.h.

    Alternatives:

    • Get rid of the optimization and just never rely on the fact that sizeof(secp256k1_ge_storage) == 64 (but that’s slower)
    • Switch secp256k1_ge_storage and secp256k1_fe_storage to be actual array types so that the compiler is not allowed to add padding (but that’s pretty bad C style: sizeof() has different semantics on array types, = assignment is not possible, returning and passing by value is not possible, …)
    • Have a test override (but that’s complex and makes testing harder)

    Originally posted by @real-or-random in #1349 (comment)

  2. real-or-random added the label assurance on Jun 18, 2023
  3. real-or-random commented at 9:33 am on December 7, 2023: contributor

    So I claim that for any existing compiler in the real world, sizeof(secp256k1_ge_storage) == 64, and we could assert this in assumptions.h.

    A friend pointed out to me that, of course, the C ABI is pretty fixed on every platform, so that compilers don’t have a lot of leeway here anyway.

  4. real-or-random cross-referenced this on Jan 7, 2024 from issue Add module "musig" that implements MuSig2 multi-signatures (BIP 327) by jonasnick
  5. sipa commented at 12:18 pm on January 7, 2024: contributor
    Sounds good. Let’s just make the assumption that the secp256k1_pubkey type is exactly 64 bytes explicit, and drop the branches.
  6. real-or-random referenced this in commit e53c2d9ffc on Jan 8, 2024
  7. real-or-random cross-referenced this on Jan 8, 2024 from issue Get rid of untested sizeof(secp256k1_ge_storage) == 64 code path by real-or-random
  8. real-or-random closed this on Jan 9, 2024
  9. real-or-random referenced this in commit a9db9f2d75 on Jan 9, 2024


real-or-random sipa

Labels
assurance

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-23 11:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me