[Libguestfs] [PATCH nbdkit 2/2] common: Add checked-overflow macros and use for safe vector extension
Eric Blake
eblake at redhat.com
Tue Nov 9 19:56:12 UTC 2021
On Tue, Nov 09, 2021 at 08:53:28PM +0200, Nir Soffer wrote:
> On Tue, Nov 9, 2021 at 7:49 PM Richard W.M. Jones <rjones at redhat.com> wrote:
> > +++ b/common/include/checked-overflow.h
> > +
> > +/* This header file defines functions for checking overflow in common
> > + * integer arithmetic operations.
> > + *
> > + * It uses GCC/Clang built-ins: a possible future enhancement is to
> > + * provide fallbacks in plain C or for other compilers. The only
> > + * purpose of having a header file for this is to have a single place
> > + * where we would extend this in future.
> > + */
gnulib has such checks ported to other compilers (in intprops.h), but
with an incompatible license that we can't copy.
> > +
> > +#ifndef NBDKIT_CHECKED_OVERFLOW_H
> > +#define NBDKIT_CHECKED_OVERFLOW_H
> > +
> > +#if !defined(__GNUC__) && !defined(__clang__)
> > +#error "this file may need to be ported to your compiler"
> > +#endif
> > +
> > +/* Add two uint64_t values. Returns true if overflow happened. */
> > +#define ADD_UINT64_T_OVERFLOW(a, b, r) __builtin_add_overflow((a), (b), (r))
I was able to figure out that this performs '*r = a + b' by guessing
from the macro parameter names; I'm not sure if adding that to the
comment would help other readers less familiar with the compiler
builtin.
> > +
> > +/* Multiply two uint64_t values. Returns true if overflow happened. */
> > +#define MUL_UINT64_T_OVERFLOW(a, b, r) __builtin_mul_overflow((a), (b), (r))
> > +
> > +/* Add two size_t values. Returns true if overflow happened. */
> > +#define ADD_SIZE_T_OVERFLOW(a, b, r) __builtin_add_overflow((a), (b), (r))
> > +
> > +/* Multiple two size_t values. Returns true if overflow happened. */
> > +#define MUL_SIZE_T_OVERFLOW(a, b, r) __builtin_mul_overflow((a), (b), (r))
gcc also has forced-type builtins, but using
__builtin_uaddll_overflow() would be wrong (it's harder to prove
whether uint64_t is 'unsigned long' or 'unsigned long long'), so using
the generic macro is what we want anyways. The fact that you have two
different macros (for UINT64_T and SIZE_T) that expand to the same
thing is a side-effect of gcc's implementation; if we later have to
code up a C language fallback for other compilers, that fallback may
indeed need different implementations between the two macros. So I'm
fine with what looks like duplication here.
> > +++ b/common/utils/vector.c
> > @@ -36,6 +36,7 @@
> > #include <stdlib.h>
> > #include <errno.h>
> >
> > +#include "checked-overflow.h"
> > #include "vector.h"
> >
> > int
> > @@ -44,21 +45,30 @@ generic_vector_reserve (struct generic_vector *v, size_t n, size_t itemsize)
> > void *newptr;
> > size_t reqcap, reqbytes, newcap, newbytes;
> >
> > - /* New capacity requested. We must allocate this minimum (or fail). */
> > - reqcap = v->cap + n;
> > - reqbytes = reqcap * itemsize;
> > - if (reqbytes < v->cap * itemsize) {
> > + /* New capacity requested. We must allocate this minimum (or fail).
> > + * reqcap = v->cap + n
> > + * reqbytes = reqcap * itemsize
> > + */
>
> This should explain the next lines? I'm not sure about it, it makes
> the code more complicated and the commented code can get out
> of sync with the actual code.
>
> > + if (ADD_SIZE_T_OVERFLOW (v->cap, n, &reqcap) ||
> > + MUL_SIZE_T_OVERFLOW (reqcap, itemsize, &reqbytes)) {
Yes, the code in the comment is pseudocode for the macro use; I agree
that the duplication is a slight risk of losing sync, but it's a weak
argument (the comment is quite close to the code, and this file is not
likely to be frequently rewritten). I'm fine keeping it.
>
> Is order guaranteed?
Yes, because of ||.
>
> I think it will be more clear as separate if blocks, even if we need
> to have 2 blocks for returning ENOMEM.
2 blocks is useful if you ever expect to be in a gdb session trying to
figure out which of the two conditions failed. But for this one, I'm
fine with one.
>
> > errno = ENOMEM;
> > - return -1; /* overflow */
> > + return -1;
> > }
> >
> > /* However for the sake of optimization, scale buffer by 3/2 so that
> > * repeated reservations don't call realloc often.
> > + * newcap = v->cap + (v->cap + 1) / 2
> > + * newbytes = newcap * itemsize
> > */
> > - newcap = v->cap + (v->cap + 1) / 2;
> > - newbytes = newcap * itemsize;
> > -
> > + if (ADD_SIZE_T_OVERFLOW (v->cap, 1, &newcap))
> > + goto fallback;
> > + newcap /= 2;
> > + if (ADD_SIZE_T_OVERFLOW (v->cap, newcap, &newcap))
> > + goto fallback;
>
> This probably works but adding v->cap and newcap and storing
> back in newcap is pretty confusing. I would use a temporary:
>
> if (ADD_SIZE_T_OVERFLOW (v->cap, 1, &extracap))
> goto fallback;
>
> extracap /= 2;
> if (ADD_SIZE_T_OVERFLOW (v->cap, extracap, &newcap))
> goto fallback;
>
> > + if (MUL_SIZE_T_OVERFLOW (newcap, itemsize, &newbytes))
> > + goto fallback;
> > if (newbytes < reqbytes) {
> > + fallback:
>
> Jumping inside an if block is evil.
Not the first time our code base has done it. It's not always the
cleanest, but is more compact that a number of other alternatives
without too much hassle.
>
> I would try to extract the code to compute the new capacity into a helper
> function:
>
> if (next_capacity(v-cap, n, itemsize, &newcap))
> return -1;
>
> This function can return early instead of jumping around or fail
> if we cannot reserve n items. In the worst case this function will
> only hide the overflow macros.
That is indeed an option which may improve legibility for the next
reader, even if it costs a few more lines of code now.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list