From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 86215 invoked by alias); 10 Oct 2018 08:51:48 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 8502 invoked by uid 89); 10 Oct 2018 08:50:05 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=sane, __extension__ X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 10 Oct 2018 08:50:03 +0000 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 20346C025D23; Wed, 10 Oct 2018 08:50:02 +0000 (UTC) Received: from [127.0.0.1] (ovpn04.gateway.prod.ext.ams2.redhat.com [10.39.146.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id F381362988; Wed, 10 Oct 2018 08:50:00 +0000 (UTC) Subject: Re: [PATCH][gdb] fix unsigned overflow in charset.c To: John Baldwin , Paul Koning References: <7B48D309-445E-4141-A87A-1F3D5FA70EFD@comcast.net> <1acace4a-a5c6-abaf-f070-9c2e6768b6f2@redhat.com> <9ea7a1f6-5c3f-c569-6bba-ca9e21711de1@FreeBSD.org> <2DCE0AB8-5647-4AD1-B0AA-3A8350C3BE6D@comcast.net> <17fcbb42-d694-af87-9a8d-d01addee992b@FreeBSD.org> Cc: gdb-patches@sourceware.org From: Pedro Alves Message-ID: Date: Wed, 10 Oct 2018 08:51:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <17fcbb42-d694-af87-9a8d-d01addee992b@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SW-Source: 2018-10/txt/msg00244.txt.bz2 On 10/09/2018 08:58 PM, John Baldwin wrote: > On 10/9/18 11:10 AM, Paul Koning wrote: >> >> >>> On Oct 9, 2018, at 1:57 PM, John Baldwin wrote: >>> >>> On 10/9/18 10:40 AM, Paul Koning wrote: >>>> >>>> >>>>> On Oct 9, 2018, at 1:31 PM, Pedro Alves wrote: >>>>> >>> I also ran into the same failure using LLVM's ubsan on FreeBSD but in a different >>> use of obstack_blank_fast(). If we wanted to fix this, I wonder if we'd instead >>> want to fix it centrally in obstack_blank_fast (e.g. by using a ptrdiff_t cast) >>> rather than fixing various consumers of the API. That would be a change to >>> libiberty though, not just gdb. >> >> I suppose. But casts in macros scare me, they can hide mistakes. It seems more reasonable to have the caller be responsible for creating a value of the correct type. Since it's an adjustment, I suppose the cast should be for ptrdiff_t rather than ssize_t? > > So if obstack_blank_fast() were an inline function instead of a macro, I > suspect it's second argument would be of type ptrdiff_t in which case the > equivalent "hidden" cast would happen at the function call. That said, > the obstack_blank() macro uses _OBSTACK_SIZE_T (which is an unsigned size_t) > when it declares a local variable to pass as the offset, so it seems obstack > really is relying on unsigned wrap around. The function is documented to take an int, at least: void obstack_blank_fast (struct obstack *obstack-ptr, int size) https://www.gnu.org/software/libc/manual/html_node/Summary-of-Obstacks.html Looks like some of the "int"-ness was lost with the obstack v2 changes a while ago, to support larger (64-bit) objects. If I diff my system's obstack.h with libiberty's local copy, I see: (This is Fedora 27, a little outdated wrt to glibc in use by now. Upstream glibc's obstack.h is in sync with liberty's IIRC.) $ diff -upw /usr/include/obstack.h obstack.h | less -#ifdef __PTRDIFF_TYPE__ -# define PTR_INT_TYPE __PTRDIFF_TYPE__ +#if _OBSTACK_INTERFACE_VERSION == 1 +/* For binary compatibility with obstack version 1, which used "int" + and "long" for these two types. */ +# define _OBSTACK_SIZE_T unsigned int +# define _CHUNK_SIZE_T unsigned long +# define _OBSTACK_CAST(type, expr) ((type) (expr)) #else -# include -# define PTR_INT_TYPE ptrdiff_t +/* Version 2 with sane types, especially for 64-bit hosts. */ +# define _OBSTACK_SIZE_T size_t +# define _CHUNK_SIZE_T size_t +# define _OBSTACK_CAST(type, expr) (expr) #endif and @@ -359,11 +375,10 @@ extern int obstack_exit_failure; # define obstack_blank(OBSTACK, length) \ __extension__ \ ({ struct obstack *__o = (OBSTACK); \ - int __len = (length); \ - if (__o->chunk_limit - __o->next_free < __len) \ + _OBSTACK_SIZE_T __len = (length); \ + if (obstack_room (__o) < __len) \ _obstack_newchunk (__o, __len); \ - obstack_blank_fast (__o, __len); \ - (void) 0; }) + obstack_blank_fast (__o, __len); }) Note how above we used to have "int __len = (length);" But that's obstack_blank, not obstack_blank_fast. The latter never had a cast. Not sure what's best to do, but I think I leaning toward agreeing with Paul, in that passing down a signed negative integer rather than passing down a large unsigned integer expecting it to cast to a negative integer ends up being a little better. Thanks, Pedro Alves