From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-151629-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 122174 invoked by alias); 16 Oct 2018 15:58:15 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Received: (qmail 121531 invoked by uid 89); 16 Oct 2018 15:58:15 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=toward, consumers
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 16 Oct 2018 15:58:13 +0000
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id 111343024647;	Tue, 16 Oct 2018 15:58:12 +0000 (UTC)
Received: from [127.0.0.1] (ovpn04.gateway.prod.ext.ams2.redhat.com [10.39.146.4])	by smtp.corp.redhat.com (Postfix) with ESMTP id 23A8D5DD85;	Tue, 16 Oct 2018 15:58:10 +0000 (UTC)
Subject: Re: [PATCH][gdb] fix unsigned overflow in charset.c
To: John Baldwin <jhb@FreeBSD.org>, Paul Koning <paulkoning@comcast.net>
References: <7B48D309-445E-4141-A87A-1F3D5FA70EFD@comcast.net> <1acace4a-a5c6-abaf-f070-9c2e6768b6f2@redhat.com> <FBF59187-8B90-4A9C-B44C-C98F27A676AA@comcast.net> <9ea7a1f6-5c3f-c569-6bba-ca9e21711de1@FreeBSD.org> <2DCE0AB8-5647-4AD1-B0AA-3A8350C3BE6D@comcast.net> <17fcbb42-d694-af87-9a8d-d01addee992b@FreeBSD.org> <c335f8db-1825-2c16-6fbb-3ff56beca97f@redhat.com> <d6f5988a-97ef-b8a3-ee58-3bd9cb8a045e@FreeBSD.org>
Cc: gdb-patches@sourceware.org
From: Pedro Alves <palves@redhat.com>
Message-ID: <42e6b4b2-fb05-25f6-ef0a-73ce854116de@redhat.com>
Date: Tue, 16 Oct 2018 15:58:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <d6f5988a-97ef-b8a3-ee58-3bd9cb8a045e@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-SW-Source: 2018-10/txt/msg00347.txt.bz2

On 10/11/2018 09:15 PM, John Baldwin wrote:
> On 10/10/18 1:50 AM, Pedro Alves wrote:
>> On 10/09/2018 08:58 PM, John Baldwin wrote:
>>> On 10/9/18 11:10 AM, Paul Koning wrote:
>>>>
>>>>
>>>>> On Oct 9, 2018, at 1:57 PM, John Baldwin <jhb@FreeBSD.org> wrote:
>>>>>
>>>>> On 10/9/18 10:40 AM, Paul Koning wrote:
>>>>>>
>>>>>>
>>>>>>> On Oct 9, 2018, at 1:31 PM, Pedro Alves <palves@redhat.com> wrote:
>>>>>>>
>>
>>>>> I also ran into the same failure using LLVM's ubsan on FreeBSD but in a different
>>>>> use of obstack_blank_fast().  If we wanted to fix this, I wonder if we'd instead
>>>>> want to fix it centrally in obstack_blank_fast (e.g. by using a ptrdiff_t cast)
>>>>> rather than fixing various consumers of the API.  That would be a change to
>>>>> libiberty though, not just gdb.
>>>>
>>>> I suppose.  But casts in macros scare me, they can hide mistakes.  It seems more reasonable to have the caller be responsible for creating a value of the correct type.  Since it's an adjustment, I suppose the cast should be for ptrdiff_t rather than ssize_t?
>>>
>>> So if obstack_blank_fast() were an inline function instead of a macro, I
>>> suspect it's second argument would be of type ptrdiff_t in which case the
>>> equivalent "hidden" cast would happen at the function call.  That said,
>>> the obstack_blank() macro uses _OBSTACK_SIZE_T (which is an unsigned size_t)
>>> when it declares a local variable to pass as the offset, so it seems obstack
>>> really is relying on unsigned wrap around.
>>
>> The function is documented to take an int, at least:
>>
>>  void obstack_blank_fast (struct obstack *obstack-ptr, int size)
>>
>>  https://www.gnu.org/software/libc/manual/html_node/Summary-of-Obstacks.html
>>
>> Not sure what's best to do, but I think I leaning toward
>> agreeing with Paul, in that passing down a signed negative
>> integer rather than passing down a large unsigned integer
>> expecting it to cast to a negative integer ends up
>> being a little better.
> 
> Ok.  Do you have a preference on the type to use (ssize_t vs ptrdiff_t vs
> something else)?  Paul's original patch used ssize_t.  I'll probably patch
> the one case I found in minsyms.c to match whatever we use here.

I don't really have much of a preference.

In practice, it probably doesn't make much of a difference nowadays.
Likely ssize_t and ptrdiff_t have the same width on all supported
hosts.

ssize_t is not standard C++ (it's standard POSIX), while ptrdiff_t is.
OTOH, we already use ssize_t in gdb.  Pedantically incorrectly, I guess,
if we follow the letter of the original ssize_t intention [1]:

  The type ssize_t shall be capable of storing values at least in the range [-1, {SSIZE_MAX}].

[1] - http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_types.h.html

>From an aesthetic perspective, "ssize_t" seems better, as the "obvious
signed version of size_t".  From a pedantic perspective, ptrdiff_t
sounds better.

Thanks,
Pedro Alves