From: Paul Eggert <eggert@cs.ucla.edu>
To: Bruno Haible <bruno@clisp.org>
Cc: bug-gnulib@gnu.org
Subject: Re: [PATCH 1/2] explicit_bzero-tests: pacify GCC
Date: Sun, 18 Jul 2021 14:14:57 -0500 [thread overview]
Message-ID: <3ecc5494-65ab-cb9e-19c7-8aaef7b6ff18@cs.ucla.edu> (raw)
In-Reply-To: <1970409.cXUO0us07v@omega>
[-- Attachment #1: Type: text/plain, Size: 1277 bytes --]
On 7/18/21 4:12 AM, Bruno Haible wrote:
> The purpose of the test is to verify that the compiler does not eliminate
> a call to explicit_bzero, even if data flow analysis reveals that the stack
> area is "dead" at the end of the function.
>
> With this patch, it was turned into a weaker assertion: namely, that the
> compiler does not eliminate a call to explicit_bzero if it cannot make
> inferences about the pointer argument.
Strictly speaking, neither assertion is weaker than the other. However,
I take your point that the patch changes the meaning of the test in an
undesirable way. I installed the attached to implement your suggestion.
This new diagnostic points out a problem with the test, though. If GCC
can determine that memcmp reads uninitialized storage, GCC can optimize
away the memcmp and act as if memcmp returns 0 (or any other constant).
So the test as it stands is problematic given recent advances in
practical compilers.
As an aside, I don't understand the discussion of asynchronous signal
invocations in that test's commentary. There is no asynchronous
signaling in that code.
(These points are of course low-priority, as explicit_bzero is
documented to be best-effort as opposed to being a guarantee that the
information is erased.)
[-- Attachment #2: 0001-explicit_bzero-tests-pacify-GCC-better.patch --]
[-- Type: text/x-patch, Size: 2797 bytes --]
From f9803478355d038aa060d71bdd9eddf2bd43325f Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 18 Jul 2021 14:08:56 -0500
Subject: [PATCH] explicit_bzero-tests: pacify GCC better
Problem reported by Bruno Haible in:
https://lists.gnu.org/r/bug-gnulib/2021-07/msg00039.html
* tests/test-explicit_bzero.c: Ignore -Wmaybe-uninitialized.
(stackbuf): Remove this static pointer, reverting recent change.
(do_secret_stuff, test_stack): Revert these related changes too.
---
ChangeLog | 9 +++++++++
tests/test-explicit_bzero.c | 16 +++++++++++-----
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c50808437..d175c39af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-07-18 Paul Eggert <eggert@cs.ucla.edu>
+
+ explicit_bzero-tests: pacify GCC better
+ Problem reported by Bruno Haible in:
+ https://lists.gnu.org/r/bug-gnulib/2021-07/msg00039.html
+ * tests/test-explicit_bzero.c: Ignore -Wmaybe-uninitialized.
+ (stackbuf): Remove this static pointer, reverting recent change.
+ (do_secret_stuff, test_stack): Revert these related changes too.
+
2021-07-17 Paul Eggert <eggert@cs.ucla.edu>
memrchr-tests: pacify GCC
diff --git a/tests/test-explicit_bzero.c b/tests/test-explicit_bzero.c
index c42aba93f..14f0ead2b 100644
--- a/tests/test-explicit_bzero.c
+++ b/tests/test-explicit_bzero.c
@@ -32,6 +32,12 @@ SIGNATURE_CHECK (explicit_bzero, void, (void *, size_t));
#include "vma-iter.h"
#include "macros.h"
+/* Suppress GCC warning that do_secret_stuff (2) reads uninitialized
+ local storage. */
+#if 4 < __GNUC__ + (3 <= __GNUC_MINOR__)
+# pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
+#endif
+
#define SECRET "xyzzy1729"
#define SECRET_SIZE 9
@@ -126,12 +132,14 @@ test_heap (void)
/* There are two passes:
1. Put a secret in memory and invoke explicit_bzero on it.
2. Verify that the memory has been erased.
- Access the memory via a volatile pointer, so the compiler
- does not assume the pointer's value and optimize away accesses. */
-static char *volatile stackbuf;
+ Implement them in the same function, so that they access the same memory
+ range on the stack. That way, the test verifies that the compiler
+ does not eliminate a call to explicit_bzero, even if data flow analysis
+ reveals that the stack area is dead at the end of the function. */
static int _GL_ATTRIBUTE_NOINLINE
do_secret_stuff (volatile int pass)
{
+ char stackbuf[SECRET_SIZE];
if (pass == 1)
{
memcpy (stackbuf, SECRET, SECRET_SIZE);
@@ -147,8 +155,6 @@ do_secret_stuff (volatile int pass)
static void
test_stack (void)
{
- char stack_buffer[SECRET_SIZE];
- stackbuf = stack_buffer;
int count = 0;
int repeat;
--
2.25.1
next prev parent reply other threads:[~2021-07-18 19:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-18 4:56 [PATCH 1/2] explicit_bzero-tests: pacify GCC Paul Eggert
2021-07-18 4:56 ` [PATCH 2/2] memrchr-tests: " Paul Eggert
2021-07-18 9:12 ` [PATCH 1/2] explicit_bzero-tests: " Bruno Haible
2021-07-18 19:14 ` Paul Eggert [this message]
2021-07-18 22:23 ` Bruno Haible
2021-07-18 23:17 ` Paul Eggert
2021-07-19 0:37 ` Bruno Haible
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ecc5494-65ab-cb9e-19c7-8aaef7b6ff18@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=bruno@clisp.org \
--cc=bug-gnulib@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).