Michael,

The suggested changes make sense to me. I will prepare the patch in the next 
days. I guess the only question left is whether disabling assertions also 
disables constraint assertions. I think this should be the case for backwards 
compatibility, despite being slightly unintuitive.

Best,
Vitaly

On Sat, Feb 15, 2020 at 01:50, Kinney, Michael D <michael.d.kin...@intel.com> 
wrote:

> Hi Vitaly,
>
> I agree that this proposal makes a lot of sense.  We recently added a new 
> assert type called STATIC_ASSERT() for assert conditions that can be tested 
> at build time.
>
> A new assert type for checks that can be removed and the API still guarantees 
> that it fails gracefully with a proper return code is a good idea.  Given we 
> have STATIC_ASSERT(), how about naming the new macro CONSTRAINT_ASSERT()?
>
> We also want the default to be enabled.  The current use of bit 0x40 in 
> PcdDebugPropertyMask  is always clear, so we want the asserts enabled when 
> 0x40 is clear.  We can change the name of the define bit to 
> DEBUG_PROPERTY_CONTRAINT_ASSERT_DISABLED so bit 0x40 needs to be set in 
> PcdDebugPropertyMask to disable these types of asserts.
>
> This approach does require all the DebugLib implementations to be updated 
> with the new  DebugConstraintAssertDisabled() API.
>
> Mike
>
> From: vit9696 <vit9...@protonmail.com>
> Sent: Friday, February 14, 2020 9:38 AM
> To: Kinney, Michael D <michael.d.kin...@intel.com>
> Cc: devel@edk2.groups.io; Gao, Liming <liming....@intel.com>; Gao, Zhichao 
> <zhichao....@intel.com>; Marvin Häuser <marvin.haeu...@outlook.com>; Laszlo 
> Ersek <ler...@redhat.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/1] Add PCD to disable safe string 
> constraint assertions
>
> Michael,
>
> Generalising the approach makes good sense to me, but we need to make an 
> obvious distinguishable difference between:
>
> - precondition and invariant assertions (i.e. assertions, where function will 
> NOT work if they are violated)
>
> - constraint asserts (i.e. assertions, which allow us to spot unintentional 
> behaviour when parsing untrusted data, but which do not break function 
> behaviour).
>
> As we want to use this outside of SafeString,  I suggest the following:
>
> - Introduce DEBUG_PROPERTY_ASSERT_CONSTRAINT_ENABLED 0x40 bit for 
> PcdDebugPropertyMask instead of PcdAssertOnSafeStringConstraints.
>
> - Introduce DebugAssertConstraintEnabled DebugLib function to check for 
> DEBUG_PROPERTY_ASSERT_CONSTRAINT_ENABLED.
>
> - Introduce ASSERT_CONSTRAINT macro, that will assert only if 
> DebugConstraintAssertEnabled returns true.
>
> - Change SafeString ASSERTS in SAFE_STRING_CONSTRAINT_CHECK to 
> ASSERT_CONSTRAINTs.
>
> - Use ASSERT_CONSTRAINT in other places where necessary.
>
> I believe this way lines best with EDK II design. If there are no objections, 
> I can submit the patch in the beginning of next week.
>
> Best wishes,
>
> Vitaly
>
>> 14 февр. 2020 г., в 20:00, Kinney, Michael D <michael.d.kin...@intel.com> 
>> написал(а):
>>
>> Vitaly,
>>
>> I want to make sure a feature PCD can be used to disable ASSERT() behavior 
>> in more than just safe string functions in BaseLib.
>>
>> Can we consider changing the name and description of 
>> PcdAssertOnSafeStringConstraints to be more generic, so if we find other lib 
>> APIs, the name will make sense?
>>
>> Maybe something like: PcdEnableLibraryAssertChecks?  Default is TRUE.  Can 
>> set to FALSE in DSC file to disable ASSERT() checks.
>>
>> Thanks,
>>
>> Mike
>>
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vitaly 
>> Cheptsov via Groups.Io
>> Sent: Friday, February 14, 2020 3:55 AM
>> To: Kinney, Michael D <michael.d.kin...@intel.com>; Gao, Liming 
>> <liming....@intel.com>; Gao, Zhichao <zhichao....@intel.com>; 
>> devel@edk2.groups.io
>> Cc: Marvin Häuser <marvin.haeu...@outlook.com>; Laszlo Ersek 
>> <ler...@redhat.com>
>> Subject: Re: [edk2-devel] [PATCH v3 0/1] Add PCD to disable safe string 
>> constraint assertions
>>
>> Replying as per Liming's request for this to be merged into 
>> edk2-stable202002.
>>
>> On Mon, Feb 10, 2020 at 14:12, vit9696 <vit9...@protonmail.com> wrote:
>>
>>> Hello,
>>>
>>> It has been quite some time since we submitted the patch with so far no 
>>> negative response. As I mentioned previously, my team will strongly benefit 
>>> from its landing in EDK II mainline. Since it does not add any regressions 
>>> and can be viewed as a feature implementation for the rest of EDK II users, 
>>> I request this to be merged upstream in edk2-stable202002.
>>>
>>> Best wishes,
>>> Vitaly
>>>
>>>> 27 янв. 2020 г., в 12:47, vit9696 <vit9...@protonmail.com> написал(а):
>>>>
>>>>
>>>> Hi Mike,
>>>>
>>>> Any progress with this? We would really benefit from this landing in the 
>>>> next stable release.
>>>>
>>>> Best,
>>>> Vitaly
>>>>
>>>>> 8 янв. 2020 г., в 19:35, Kinney, Michael D <michael.d.kin...@intel.com> 
>>>>> написал(а):
>>>>>
>>>>>
>>>>> Hi Vitaly,
>>>>>
>>>>> Thanks for the additional background. I would like
>>>>> a couple extra day to review the PCD name and the places
>>>>> the PCD might potentially be used.
>>>>>
>>>>> If we find other APIs where ASSERT() behavior is only
>>>>> valuable during dev/debug to quickly identify misuse
>>>>> with trusted data and the API provides predicable
>>>>> return behavior when ASSERT() is disabled, then I would
>>>>> like to have a pattern we can potentially apply to all
>>>>> these APIs across all packages.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mike
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On
>>>>>> Behalf Of Vitaly Cheptsov via Groups.Io
>>>>>> Sent: Monday, January 6, 2020 10:44 AM
>>>>>> To: Kinney, Michael D <michael.d.kin...@intel.com>
>>>>>> Cc: devel@edk2.groups.io
>>>>>> Subject: Re: [edk2-devel] [PATCH v3 0/1] Add PCD to
>>>>>> disable safe string constraint assertions
>>>>>>
>>>>>> Hi Mike,
>>>>>>
>>>>>> Yes, the primary use case is for UEFI Applications. We
>>>>>> do not want to disable ASSERT’s completely, as
>>>>>> assertions that make sense, i.e. the ones signalising
>>>>>> about interface misuse, are helpful for debugging.
>>>>>>
>>>>>> I have already explained in the BZ that basically all
>>>>>> safe string constraint assertions make no sense for
>>>>>> handling untrusted data. We find this use case very
>>>>>> logical, as these functions behave properly with
>>>>>> assertions disabled and cover all these error
>>>>>> conditions by the return statuses. In such situation is
>>>>>> not useful for these functions to assert, as we end up
>>>>>> inefficiently reimplementing the logic. I would have
>>>>>> liked the approach of discussing the interfaces
>>>>>> individually, but I struggle to find any that makes
>>>>>> sense from this point of view.
>>>>>>
>>>>>> AsciiStrToGuid will ASSERT when the length of the
>>>>>> passed string is odd. Functions that cannot, ahem,
>>>>>> parse, for us are pretty much useless.
>>>>>> AsciiStrCatS will ASSERT when the appended string does
>>>>>> not fit the buffer. For us this logic makes this
>>>>>> function pretty much equivalent to deprecated and thus
>>>>>> unavailable AsciiStrCat, except it is also slower.
>>>>>>
>>>>>> My original suggestion was to remove the assertions
>>>>>> entirely, but several people here said that they use
>>>>>> them to verify usage errors when handling trusted data.
>>>>>> This makes good sense to me, so we suggest to support
>>>>>> both cases by introducing a PCD in this patch.
>>>>>>
>>>>>> Best wishes,
>>>>>> Vitaly
>>>>>>
>>>>>>> 6 янв. 2020 г., в 21:28, Kinney, Michael D
>>>>>> <michael.d.kin...@intel.com> написал(а):
>>>>>>>
>>>>>>>
>>>>>>> Hi Vitaly,
>>>>>>>
>>>>>>> Is the use case for UEFI Applications?
>>>>>>>
>>>>>>> There is a different mechanism to disable all
>>>>>> ASSERT()
>>>>>>> statements within a UEFI Application.
>>>>>>>
>>>>>>> If a component is consuming data from an untrusted
>>>>>> source,
>>>>>>> then that component is required to verify the
>>>>>> untrusted
>>>>>>> data before passing it to a function that clearly
>>>>>> documents
>>>>>>> is input requirements. If this approach is followed,
>>>>>> then
>>>>>>> the BaseLib functions can be used "as is" as long as
>>>>>> the
>>>>>>> ASSERT() conditions are verified before calling.
>>>>>>>
>>>>>>> If there are some APIs that currently document their
>>>>>> ASSERT()
>>>>>>> behavior and we think that ASSERT() behavior is
>>>>>> incorrect and
>>>>>>> should be handled by an existing error return value,
>>>>>> then we
>>>>>>> should discuss each of those APIs individually.
>>>>>>>
>>>>>>> Mike
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On
>>>>>>>> Behalf Of Vitaly Cheptsov via Groups.Io
>>>>>>>> Sent: Friday, January 3, 2020 9:13 AM
>>>>>>>> To: devel@edk2.groups.io
>>>>>>>> Subject: [edk2-devel] [PATCH v3 0/1] Add PCD to
>>>>>> disable
>>>>>>>> safe string constraint assertions
>>>>>>>>
>>>>>>>> REF:
>>>>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=2054
>>>>>>>>
>>>>>>>> Requesting for merge in edk2-stable202002.
>>>>>>>>
>>>>>>>> Changes since V1:
>>>>>>>> - Enable assertions by default to preserve the
>>>>>> original
>>>>>>>> behaviour
>>>>>>>> - Fix bugzilla reference link
>>>>>>>> - Update documentation in BaseLib.h
>>>>>>>>
>>>>>>>> Vitaly Cheptsov (1):
>>>>>>>> MdePkg: Add PCD to disable safe string constraint
>>>>>>>> assertions
>>>>>>>>
>>>>>>>> MdePkg/MdePkg.dec | 6 ++
>>>>>>>> MdePkg/Library/BaseLib/BaseLib.inf | 11 +--
>>>>>>>> MdePkg/Include/Library/BaseLib.h | 74
>>>>>>>> +++++++++++++-------
>>>>>>>> MdePkg/Library/BaseLib/SafeString.c | 4 +-
>>>>>>>> MdePkg/MdePkg.uni | 6 ++
>>>>>>>> 5 files changed, 71 insertions(+), 30 deletions(-)
>>>>>>>>
>>>>>>>> --
>>>>>>>> 2.21.0 (Apple Git-122.2)
>>>>>>>>
>>>>>>>>
>>>>>>>> -=-=-=-=-=-=
>>>>>>>> [Groups.io](http://groups.io/) Links: You receive all messages sent to
>>>>>> this
>>>>>>>> group.
>>>>>>>>
>>>>>>>> View/Reply Online (#52837):
>>>>>>>> https://edk2.groups.io/g/devel/message/52837
>>>>>>>> Mute This Topic:
>>>>>> https://groups.io/mt/69401948/1643496
>>>>>>>> Group Owner: devel+ow...@edk2.groups.io
>>>>>>>> Unsubscribe: https://edk2.groups.io/g/devel/unsub
>>>>>>>> [michael.d.kin...@intel.com]
>>>>>>>> -=-=-=-=-=-=
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>> 
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54481): https://edk2.groups.io/g/devel/message/54481
Mute This Topic: https://groups.io/mt/69401948/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to