Guard against overflow in codemap::span_to_lines.
#25013
Conversation
|
r? @sfackler (rust_highfive has picked a reviewer for you, use r? to override) |
|
Speaking of overflowing in slice, I think we still have other overflow possibilities. It appears as though slice was written to work properly in the case of zero-sized slices where I'll file a ticket about it. (Update: Filed as #25016) |
|
r? @huonw |
| @@ -643,6 +643,17 @@ macro_rules! slice_offset { | |||
| }}; | |||
| } | |||
|
|
|||
| macro_rules! slice_sub_offset { | |||
There was a problem hiding this comment.
Could you add a comment about why one can't just use slice_offset!/slice_add_offset! with -1?
|
This change will 'disguise' these bugs, won't it? (i.e. instead of an error/ICE, one will get Maybe it could be phrased as |
|
@kballard wrote:
By the way, I did see this feedback, and as a result, I considered doing this. But I think the formulation I came up with is more self-documenting, and should be just as efficient when compiled without (By "self-documenting," I guess I mean that this is not a case where modular arithmetic inherently applies -- instead, using I just wanted to make sure I addressed this note. :) |
|
@huonw wrote:
Yeah, I also had thought a stronger message would be warranted. (Should I go so far as to find some way to encode "please report this as a bug" into the output as well?) |
|
What other potential overflow bugs would be masked? My understanding is this code is explicitly supposed to be tolerant of wrapping because it still maintains the desired invariants (namely, that the end can be reached from the start by incrementing the correct number of times). So it's not an accident that two's-complement works, it's explicit design. |
eh, the only examples I can think of offhand involve overflowing |
This overflow does not cause any problems; it just causes errors to be signalled when compiling with `-C debug-assertions`. Fix rust-lang#24997
pnkfelix
force-pushed
the
span_to_lines-oflo
branch
from
7ee72cb to
8b20251
Compare
|
@huonw any further review feedback? |
| ($ptr:expr, $by:expr) => {{ | ||
| let ptr = $ptr; | ||
| if size_from_ptr(ptr) == 0 { | ||
| transmute(ptr as usize - $by) |
There was a problem hiding this comment.
GitHub seems to have lost my previous comment about this. It may have been a commit comment instead of a diff comment but I thought GitHub still preserved those. In the interests of making the discussion actually make sense, what I had suggested was that we don't need a separate macro at all, we just need wrapping arithmetic, like
macro_rules! slice_offset {
($ptr:expr, $by:expr) => {{
let ptr = $ptr;
if size_from_ptr(ptr) == 0 {
transmute((ptr as isize).wrapping_add($by))
} else {
ptr.offset($by)
}
}};
}And FWIW I still believe this is the better approach. It more closely mimics the actual pointer arithmetic used for non-zero-sized types, it means none of the callers of the macro have to be updated, and it more closely matches the required changes for #25016 (I think we need to use wrapping addition in more places in this module in order to restore the pre-overflow-check behavior).
There was a problem hiding this comment.
I have kept the changes in the form presented here because I still believe this code is easier to read than that change that you suggest. (It is an entirely subjective opinion.)
I freely admit that I have not done the full review of the core::slice code, and thus I have no argument against the point you make about hypothetical fixes to #25016. If it comes to that, then we can revert back to a macro of the form you suggest when #25016 gets fixed.
For now, however, my main concern is getting make check working again on --enable-debug builds, and this was the most obviously correct way for me to go about doing it.
Make `span_to_lines` to return a `Result`. (This is better than just asserting internally, since it allows caller to decide if they can recover from the problem.) Added type alias for `FileLinesResult` returned by `span_to_lines`. Update embedded unit test to reflect `span_to_lines` signature change. In diagnostic, catch `Err` from `span_to_lines` and print `"(internal compiler error: unprintable span)"` instead. ---- There a number of recent issues that report the bug here. See e.g. rust-lang#24761 and rust-lang#24954. This change *might* fix them. However, that is not its main goal. The main goals are: 1. Make it possible for callers to recover from an error here, and 2. Insert a more conservative check, in that we are also checking that the files match up.
pnkfelix
force-pushed
the
span_to_lines-oflo
branch
from
8b20251 to
909e1d6
Compare
|
@huonw review ping; I have now addressed your comments. Was there anything else you wanted here? |
|
@bors r+ |
|
📌 Commit 909e1d6 has been approved by |
|
⌛ Testing commit 909e1d6 with merge 5858b66... |
|
⛄ The build was interrupted to prioritize another pull request. |
|
⌛ Testing commit 909e1d6 with merge cbc8a1c... |
Guard against overflow in `codemap::span_to_lines`. (Revised/expanded version of PR #24976) Make `span_to_lines` to return a `Result`. In `diagnostic`, catch `Err` from `span_to_lines` and print `"(unprintable span)"` instead. ---- There a number of recent issues that report the bug here. See e.g. #24761 and #24954. This change *might* fix them. However, that is *not* its main goal. The main goals are: 1. Make it possible for callers to recover from an error here, and 2. Insert a more conservative check, in that we are also checking that the files match up. ---- As a drive-by, fix #24997 , which was causing my attempts to `make check-stage1` on an `--enable-debug` build to fail.
|
💔 Test failed - auto-mac-64-opt |
pnkfelix
force-pushed
the
span_to_lines-oflo
branch
from
909e1d6 to
939e4c9
Compare
|
sigh, my attempt to add an assertion to a test broke |
Guard against overflow in `codemap::span_to_lines`. (Revised/expanded version of PR #24976) Make `span_to_lines` to return a `Result`. In `diagnostic`, catch `Err` from `span_to_lines` and print `"(unprintable span)"` instead. ---- There a number of recent issues that report the bug here. See e.g. #24761 and #24954. This change *might* fix them. However, that is *not* its main goal. The main goals are: 1. Make it possible for callers to recover from an error here, and 2. Insert a more conservative check, in that we are also checking that the files match up. ---- As a drive-by, fix #24997 , which was causing my attempts to `make check-stage1` on an `--enable-debug` build to fail.
Guard against overflow in
codemap::span_to_lines.(Revised/expanded version of PR #24976)
Make
span_to_linesto return aResult.In
diagnostic, catchErrfromspan_to_linesand print"(unprintable span)"instead.There a number of recent issues that report the bug here. See e.g. #24761 and #24954.
This change might fix them. However, that is not its main goal. The main goals are:
As a drive-by, fix #24997 , which was causing my attempts to
make check-stage1on an--enable-debugbuild to fail.