Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add checked return values diagnostic #3798

Merged
merged 4 commits into from
Jun 12, 2023

Conversation

camshaft
Copy link
Contributor

@camshaft camshaft commented Jan 31, 2023

Description of changes:

Currently, if you use POSIX_BAIL in a function that returns an unsigned integer, it will not fail. This is a problem as the -1 is cast to the maximum value for the integer:

uint8_t my_fun()
{
    POSIX_BAIL(MY_ERROR); // will not emit a warning
}

Luckily, some versions of C compilers provide a way to add diagnostics to a specific region of code. In this case, we wrap the return -1 in a -Wconversion diagnostic and now the code above will fail. See a working example here.

Call-outs:

This depends on the work in #3921.

I refactored and moved the s2n_extensions_client_key_share_size function, which was only used in a single test. This was the only function in the codebase that failed this check (which is good!).

Testing:

All of the existing tests should be sufficient to test for this, since it's just a compilation flag.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions
Copy link

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@camshaft camshaft force-pushed the conversion-checks branch 5 times, most recently from 83eae09 to 27f0c43 Compare June 1, 2023 20:34
@camshaft camshaft force-pushed the conversion-checks branch from 27f0c43 to 53921a9 Compare June 2, 2023 17:07
@camshaft camshaft force-pushed the conversion-checks branch from 53921a9 to c0bcfe7 Compare June 2, 2023 20:31
@camshaft camshaft marked this pull request as ready for review June 2, 2023 20:31
Comment on lines 35 to 42
/* this function is here to ensure the compiler properly pops the previous diagnostic */
uint8_t unsigned_fun()
{
return -1;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fun fact: <GCC5 doesn't implement diagnostic pop correctly and preserves the configuration for the rest of the file: https://godbolt.org/z/qdKrhWMo6

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there ever an instance where we would want to use GCC diagnostics where diagnostic pop isn't supported? Like, should checking if diagnostic pop works correctly just be a part of the normal GCC diagnostic feature probe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question (and this ties into your other question). There's two different uses of the diagnostics in the codebase: you can ignore warnings that are on by default and you can turn on warnings that are off by default. In the case of ignoring warnings, we want to include as many compilers in that list as possible, otherwise we'd get warnings on those platforms and fail the build (since -Werror is on). The worst case is we ignore warnings later on, but since we're also testing on platforms that do support popping diagnostics, it's not going to affect those.

On the other hand, we definitely can't turn on warnings for compilers that don't support pop without fixing every instance in the file after that triggers the warning.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, that makes sense. Thanks!

@camshaft camshaft force-pushed the conversion-checks branch from c0bcfe7 to 3461981 Compare June 2, 2023 20:45
@camshaft camshaft requested review from goatgoose and lrstewart June 6, 2023 15:31
crypto/s2n_ecdsa.c Outdated Show resolved Hide resolved
Copy link
Contributor

@lrstewart lrstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How many of our CI jobs use GCC that supports these checks? A few, most, or all? Since this is on by default, I'm a little worried about a function in some ifdef block not getting caught until a customer uses a modern compiler.

But I guess that's better then their application running with the type conversion...

@camshaft
Copy link
Contributor Author

camshaft commented Jun 9, 2023

TODO: rename the two probes to PUSH_SUPPORTED and POP_SUPPORTED so it's clear how to use them correctly

@camshaft camshaft force-pushed the conversion-checks branch from 3461981 to 3d5eb08 Compare June 12, 2023 16:29
@camshaft camshaft force-pushed the conversion-checks branch from 3d5eb08 to 26e57f1 Compare June 12, 2023 16:31
@camshaft camshaft requested a review from lrstewart June 12, 2023 16:32
@camshaft camshaft enabled auto-merge (squash) June 12, 2023 19:33
@camshaft camshaft merged commit 23840a5 into aws:main Jun 12, 2023
@camshaft camshaft deleted the conversion-checks branch June 12, 2023 21:27
dougch pushed a commit to dougch/s2n-tls that referenced this pull request Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants