Skip to content

Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode#902

Closed
sipa wants to merge 1 commit intobitcoin-core:masterfrom
sipa:202103_verify_only_check
Closed

Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode#902
sipa wants to merge 1 commit intobitcoin-core:masterfrom
sipa:202103_verify_only_check

Conversation

@sipa
Copy link
Contributor

@sipa sipa commented Mar 12, 2021

The VERIFY_CHECK macro still evaluates its argument in non-VERIFY mode, to make sure that in case it has any side effects (intentionally or unintentionally) that are relevant to the code, these also apply in production builds.

This isn't always desirable. If nontrivial functions are invoked inside of them the compiler may be unable to optimize the call out, resulting in performance degradation or even the introduction of non-constant-time behavior where that is unexpected.

This adds a new VERIFY_ONLY_CHECK macro that does not evaluate its argument (it is still compiled inside an if (0) though to guarantee syntactic correctness), for this purpose, and changes some nontrivial calls to use it.

@sipa sipa mentioned this pull request Mar 12, 2021
Merged
@real-or-random
Copy link
Contributor

real-or-random commented Mar 12, 2021

What do you think about this?

extern int not_supposed_to_survive;
#if defined(COVERAGE)
...
#elif defined(VERIFY)
#define VERIFY_CHECK CHECK
#define VERIFY_SETUP(stmt) do { stmt; } while(0)
#else
#define VERIFY_CHECK(cond) do { (void)(not_supposed_to_survive || (cond)); } while(0)
#define VERIFY_SETUP(stmt)
#endif

This a rather hacky but working way to let the compiler error out if it fails to prove that cond has no side-effects. (Taken from https://stackoverflow.com/a/35294344.)

This compiles fine with on current master on clang and gcc with -O1 and higher. Compilations fails when I add a dubious VERIFY_CHECK with a side-effect.

@sipa
Copy link
Contributor Author

sipa commented Mar 12, 2021

@real-or-random Ha, nice!

But I think we'll still want a macro like this for cases where it can't be optimized out? Or do you think all cases now are actually removed?

We'd also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

@real-or-random
Copy link
Contributor

real-or-random commented Mar 12, 2021
edited
Loading

@real-or-random Ha, nice!

But I think we'll still want a macro like this for cases where it can't be optimized out? Or do you think all cases now are actually removed?

I think the fact that master compiles fine with this implies all cases are optimized everywhere.

We'd also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

Indeed.

edit: We also may want to make this conditional on clang/gcc to make sure we don't break compilation for people using obscure compilers.

@sipa sipa mentioned this pull request Mar 12, 2021
Closed
@sipa
Copy link
Contributor Author

sipa commented Mar 12, 2021

@real-or-random See #904.

@sipa
Copy link
Contributor Author

sipa commented Mar 15, 2021

Closing in favor of #904.

@sipa sipa closed this Mar 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sipa @real-or-random