[HACKERS] [RFC] overflow checks optimized away

Tue, 22 Jan 2013 20:02:19 -0800 

Intel's icc and PathScale's pathcc compilers optimize away several
overflow checks, since they consider signed integer overflow as
undefined behavior.  This leads to a vulnerable binary.

Currently we use -fwrapv to disable such (mis)optimizations in gcc,
but not in other compilers.


Examples
========

1) x + 1 <= 0 (assuming x > 0).

src/backend/executor/execQual.c:3088

Below is the simplified code.

-----------------------------------------
void bar(void);
void foo(int this_ndims)
{
        if (this_ndims <= 0)
                return;
        int elem_ndims = this_ndims;
        int ndims = elem_ndims + 1;
        if (ndims <= 0)
                bar();
}
-----------------------------------------

$ icc -S -o - sadd1.c
...
foo:
# parameter 1: %edi
..B1.1:
..___tag_value_foo.1:
..B1.2:
        ret

2) x + 1 < x

src/backend/utils/adt/float.c:2769
src/backend/utils/adt/float.c:2785
src/backend/utils/adt/oracle_compat.c:1045 (x + C < x)

Below is the simplified code.

-----------------------------------------
void bar(void);
void foo(int count)
{
        int result = count + 1;
        if (result < count)
                bar();
}
-----------------------------------------

$ icc -S -o - sadd2.c
...
foo:
# parameter 1: %edi
..B1.1:
..___tag_value_foo.1:
        ret       

3) x + y <= x (assuming y > 0)

src/backend/utils/adt/varbit.c:1142
src/backend/utils/adt/varlena.c:1001
src/backend/utils/adt/varlena.c:2024
src/pl/plpgsql/src/pl_exec.c:1975
src/pl/plpgsql/src/pl_exec.c:1981

Below is the simplified code.

-----------------------------------------
void bar(void);
void foo(int sp, int sl)
{
        if (sp <= 0)
                return;
        int sp_pl_sl = sp + sl;
        if (sp_pl_sl <= sl)
                bar();
}
-----------------------------------------

$ icc -S -o - sadd3.c
foo:
# parameter 1: %edi
# parameter 2: %esi
..B1.1:
..___tag_value_foo.1:
..B1.2:
        ret       


Possible fixes
==============

* Recent versions of icc and pathcc support gcc's workaround option,
-fno-strict-overflow, to disable some optimizations based on signed
integer overflow.  It's better to add this option to configure.
They don't support gcc's -fwrapv yet.

* This -fno-strict-overflow option cannot help in all cases: it cannot
prevent the latest icc from (mis)compiling the 1st case.  We could also
fix the source code by avoiding signed integer overflows, as follows.

x + y <= 0 (assuming x > 0, y > 0)
--> x > INT_MAX - y

x + y <= x (assuming y > 0)
--> x > INT_MAX - y

I'd suggest to fix the code rather than trying to work around the
compilers since the fix seems simple and portable.

See two recent compiler bugs of -fwrapv/-fno-strict-overflow as well.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55883
http://software.intel.com/en-us/forums/topic/358200

* I don't have access to IBM's xlc compiler.  Not sure how it works for
the above cases.

- xi 


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to