From owner-freebsd-current@FreeBSD.ORG  Thu Dec 19 11:38:29 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 92670FB9;
 Thu, 19 Dec 2013 11:38:29 +0000 (UTC)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com
 [IPv6:2607:f8b0:4003:c01::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D6BA168E;
 Thu, 19 Dec 2013 11:38:29 +0000 (UTC)
Received: by mail-ob0-f178.google.com with SMTP id uz6so1016695obc.23
 for <multiple recipients>; Thu, 19 Dec 2013 03:38:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=saIizYGTiUAyscmTdr0yqGV9We7S2mMx2N1fJuus2b4=;
 b=iplwa/qWAZMpON7yj4mMsjBHV+tblA9LQ78Obiabq1LpXZMDvXX/d47Zh7oYKJJmZj
 owqJPmitoM7KLkHuetnQ1Sur9wqV2GcOwMmVvZQKBftIhHkegTALRL9fEDs+fy3ZYgtb
 v4tQ2pmM/XBjyfvIWm1vSoEnwP3QIt5Npe+Lp9gutJtz8tDAwozyS7D9ljWkd54sBcP0
 ov179CWCqmwi5z3YhCJS7ea44ZFLEiYDyVaoLNNxoRGeIf9eTNm5OUADAxgjzxr7YaqM
 2T0c1+6hs4F1JjOBoky2Gsex+A2IkzMYPD/qP34VCNEGRHCGkajYw42A8PAoRaZRnjTQ
 lXig==
MIME-Version: 1.0
X-Received: by 10.182.247.68 with SMTP id yc4mr465233obc.67.1387453108547;
 Thu, 19 Dec 2013 03:38:28 -0800 (PST)
Received: by 10.182.80.7 with HTTP; Thu, 19 Dec 2013 03:38:28 -0800 (PST)
In-Reply-To: <52B2B960.7040607@freebsd.org>
References: <20131130135616.GA59496@kib.kiev.ua> <52B2B960.7040607@freebsd.org>
Date: Thu, 19 Dec 2013 12:38:28 +0100
Message-ID: <CAPjTQNHF4cs5NQ584q4ZKXaK_CJxR64UWTJdZ8N1hz1UkL55Cg@mail.gmail.com>
Subject: Re: SOLVED: Problem with -fno-strict-overflow (was: Re: RFC:
 (Unconditionally) enable -fno-strict-overflow for kernel builds)
From: Oliver Pinter <oliver.pntr@gmail.com>
To: Stefan Esser <se@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Konstantin Belousov <kostikbel@gmail.com>, current@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2013 11:38:29 -0000

On 12/19/13, Stefan Esser <se@freebsd.org> wrote:
> Am 30.11.2013 14:56, schrieb Konstantin Belousov:
>> I propose to unconditionally add the switch  -fno-strict-overflow
>> to the kernel compilation.  See the patch at the end of message for
>> exact change proposed.
>>
>> What does it do. It disallows useless and counter-intuitive
>> behaviour of the compiler(s) for the signed overflow. Basically,
>> the issue is that the C standard left signed overflow as undefined
>> to allow for different hardware implementation of signess to be
>> used for signed arithmetic. De-facto, all architectures where
>> FreeBSD works or have a chance to be ported, use two-complement
>> signed integer representation, and developers intuition is right
>> about it.
>>
>> The compiler authors take the undefined part there as a blanket to
>> perform optimizations which are assuming that signed overflow
>> cannot happen.  The problem with that approach is that typical
>> checks for bounds are exactly the place where the overflow can
>> happen.  Instead of making some artificial example, I would just
>> point to my own r258088 and r258397.
>>
>> What makes the things much worse is that the behaviour is highly
>> depended on the optimization level of the exact version of
>> compiler.
>>
>> What other projects did in this regard. They turned the same knob
>> unconditionally. I can point at least to Linux kernel and
>> Postgresql. Python uses -fwrapv, which is equivalent to the
>> -fno-strict-overflow on the two-complement machines.  Linux used
>> -fwrapv before switched to -fno-strict-overflow.
>
> Hi Konstantin,
>
> you may put back -fno-strict-overflow after I found and fixed the
> problem uncovered by enabling it in -CURRENT (SVN rev. 259609).
>
> The problem was an overflow in the conversion of timeout values to
> sbintine, which lead to negative values being detected with
> -fno-strict-overflow, while the compiler performed the signedness
> test before the multiplication, without that option.
>
> I found that timeout values of more than 1000 years were requested
> by some programs, which are now capped at 68 years (the maximum that
> can be represented by sbintime, 2^31 seconds).
>
> So, -fno-strict-overflow has already proved itself to be useful
> in uncovering a bug that would have been hard to find, otherwise.
>

I have a plan, to port this or like this plugin to llvm/clang in the
near future:

http://www.grsecurity.net/~ephox/overflow_plugin/

> Regards, STefan
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>