Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode #902

pull sipa wants to merge 1 commits into bitcoin-core:master from sipa:202103_verify_only_check changing 9 files +18 −17
  1. sipa commented at 6:28 pm on March 12, 2021: contributor

    The VERIFY_CHECK macro still evaluates its argument in non-VERIFY mode, to make sure that in case it has any side effects (intentionally or unintentionally) that are relevant to the code, these also apply in production builds.

    This isn’t always desirable. If nontrivial functions are invoked inside of them the compiler may be unable to optimize the call out, resulting in performance degradation or even the introduction of non-constant-time behavior where that is unexpected.

    This adds a new VERIFY_ONLY_CHECK macro that does not evaluate its argument (it is still compiled inside an if (0) though to guarantee syntactic correctness), for this purpose, and changes some nontrivial calls to use it.

  2. Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode bc3216baa1
  3. sipa cross-referenced this on Mar 12, 2021 from issue Safegcd inverses, drop Jacobi symbols, remove libgmp by sipa
  4. real-or-random commented at 8:05 pm on March 12, 2021: contributor

    What do you think about this?

    0extern int not_supposed_to_survive;
    1#if defined(COVERAGE)
    2...
    3#elif defined(VERIFY)
    4#define VERIFY_CHECK CHECK
    5#define VERIFY_SETUP(stmt) do { stmt; } while(0)
    6#else
    7#define VERIFY_CHECK(cond) do { (void)(not_supposed_to_survive || (cond)); } while(0)
    8#define VERIFY_SETUP(stmt)
    9#endif
    

    This a rather hacky but working way to let the compiler error out if it fails to prove that cond has no side-effects. (Taken from https://stackoverflow.com/a/35294344.)

    This compiles fine with on current master on clang and gcc with -O1 and higher. Compilations fails when I add a dubious VERIFY_CHECK with a side-effect.

  5. sipa commented at 8:18 pm on March 12, 2021: contributor

    @real-or-random Ha, nice!

    But I think we’ll still want a macro like this for cases where it can’t be optimized out? Or do you think all cases now are actually removed?

    We’d also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

  6. real-or-random commented at 8:28 pm on March 12, 2021: contributor

    @real-or-random Ha, nice!

    But I think we’ll still want a macro like this for cases where it can’t be optimized out? Or do you think all cases now are actually removed?

    I think the fact that master compiles fine with this implies all cases are optimized everywhere.

    We’d also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

    Indeed.

    edit: We also may want to make this conditional on clang/gcc to make sure we don’t break compilation for people using obscure compilers.

  7. sipa cross-referenced this on Mar 12, 2021 from issue Automatically check that VERIFY_CHECKs are side effect free by sipa
  8. sipa commented at 10:29 pm on March 12, 2021: contributor
  9. sipa commented at 11:06 pm on March 15, 2021: contributor
    Closing in favor of #904.
  10. sipa closed this on Mar 15, 2021


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-23 06:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me