Re: Fix UBSAN issue

Wed, 08 Nov 2017 01:25:11 -0800 

On Sonntag, 5. November 2017 23:20:27 CET Niels Möller wrote:
> Tim Rühsen <tim.rueh...@gmx.de> writes:
> > Nothing with a real impact, just to silence sanitizers.
> 
> Can you explain precisely what's undefined behavior in this code ?
> 
> > diff --git a/sec-tabselect.c b/sec-tabselect.c
> > index e6bf2282..942c4247 100644
> > --- a/sec-tabselect.c
> > +++ b/sec-tabselect.c
> > @@ -55,7 +55,7 @@ sec_tabselect (mp_limb_t *rp, mp_size_t rn,
> > 
> >    mpn_zero (rp, rn);
> >    for (p = table; p < end; p += rn, k--)
> >    
> >      {
> > 
> > -      mp_limb_t mask = - (mp_limb_t) (k == 0);
> 
> As far as I understand, this should be perfectly portable C.
> 
>   (k == 0) evaluates to zero or one, with int type.
> 
> This always fits in an mp_limb_t, hence
> 
>   (mp_limb_t) (k == 0) evaluates to zero or one, with mp_limb_t type.
> 
> And since mp_limb_t is an *unsigned* type, arithmetic is always well
> defined as being performed modulo (ULONG_MAX + 1), including unary
> negation. So
> 
>   -(mp_limb_t) (k == 0) evaluates to zero or ULONG_MAX.
> 
> (Assuming mp_limb_t is unsigned long, which it is an almost anything
> except 64-bit windows, where it's instead unsigned long long).
> 
> But I may be missing something? These corners of the C language are a
> bit subtle.
> 
> > +      mp_limb_t mask = (mp_limb_t) -(k == 0);
> 
> If the other way isn't broken, I'd prefer to change it like this.
> Because then one also has to think about why it produces the intended
> sign extension (which it does; it's not the same as (mp_limb_t)
> (unsigned) -(k == 0)).
> 
> In general, both nettle and GMP depend on well-defined modulo arithmetic
> on unsigned types in *lots* of places. Any sanitizer which complains
> about that is pretty useless for this code. If your sanitizer complains
> by default, please use some option to disable that. And if there's no
> such option, please bug report the sanitizer tool.

Thanks for taking such a detailed look !

Well, this is not really "my" sanitizer, it's "the" sanitizer (llvm/clang) 
used by Google's OSS-Fuzz. (gcc eventually implements clang's sanitizer 
features but is very behind).

And of course you might be right and this is a bug in the sanitizer.
I leave that discussion to the experts and open a bug at oss-fuzz as soon as I 
find the time.

With Best Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

Reply via email to