file.d: add overflow checks by WalterBright · Pull Request #4712 · dlang/phobos

WalterBright · 2016-08-04T23:10:47Z

No description provided.

MartinNowak · 2016-08-06T15:14:52Z

std/file.d

+        immutable newAlloc = addu(size, sizeIncrement, overflow);
+        if (overflow) assert(0);
+
        result = GC.realloc(result.ptr, newAlloc, GC.BlkAttr.NO_SCAN)[0 .. newAlloc];


Why?
You'll always crash before reaching that overflow. It's a size_t, so your address space is gone before it overflows.
That's too much ugly code for it's uselessness.

You'll always crash before reaching that overflow.

Famous last words :-)

All assert's are guaranteed to never be tripped. Of course, we're often wrong about that, and they get tripped. Hence adding this here.

MartinNowak · 2016-08-08T12:13:18Z

See, this is the mess w/ all those crappy tiny PRs.
Now we having plenty of separate discussions #4712, #4713, #4714, #4715, #4716, #4717, #4718 about the same thing. This literally feels like sneaking in changes to me.

MartinNowak · 2016-08-08T12:15:27Z

Where does the sudden interest in size_t overflows come from? In particular when used in buffer resizing there seems to be no practical use, b/c as pointed out above, you'll always end up w/o address space long before the overflow.

MartinNowak · 2016-08-08T12:17:03Z

Before flooding phobos w/ even more of this ugly code, please write a small SafeInt helper in std/internal that does those checks.

schveiguy · 2016-08-09T13:24:12Z

you'll always end up w/o address space long before the overflow.

Not necessarily. In many cases, you request a malloc for the result of a multiplication. If it overflows, the size actually granted could succeed and be quite small. But because malloc only tells you that you succeeded and here's your pointer, it's up to you to make that into a safe D array. In other words, your code thinks you requested space for 2 billion int, but instead you got space for 50 million. However, you just happily slice the pointer for 2 billion having a large unsafe access to all address space. In 64 bits, the overflow case is much less likely.

For the addition overflows, I agree the benefit is debatable. But if you are going to check for one case, you may as well check for all.

I do agree that a SafeInt type would look MUCH better than all these calls. It's easy to miss some operations too without such a nice wrapper type.

JackStouffer · 2016-08-09T13:32:55Z

I do agree that a SafeInt type would look MUCH better than all these calls. It's easy to miss some operations too without such a nice wrapper type.

Then review #4613

andralex

This is getting to the point where Checked is justified. Simply replacing size_t size = 0; with auto size = checked!size_t(0); and leaving all other code unchanged takes care of it.

JackStouffer · 2017-05-20T20:33:56Z

@andralex I thought the current rule was "no std.experimental use in std".

andralex · 2017-05-20T20:34:55Z

@JackStouffer on the contrary, use of experimental facilities in phobos is good dogfooding.

dnadlinger · 2017-05-20T20:38:24Z

@andralex @JackStouffer: Agreed. std.experimental shouldn't leak into the interface, but use in the implementation is fine. If the worst comes to the worst, we could always keep a private copy of the necessary parts in std.internal.

WalterBright · 2017-05-21T00:26:30Z

Simply replacing size_t size = 0; with auto size = checked!size_t(0); and leaving all other code unchanged takes care of it.

Turns out it's more than that, as the diffs show.

WalterBright · 2017-05-21T01:38:45Z

Hmm, now I get:

object.Error@src/rt/minfo.d(371): Cyclic dependency between module std.experimental.allocator and std.concurrency
std.experimental.allocator* ->
std.conv ->
std.datetime ->
std.datetime.timezone ->
std.concurrency* ->
std.stdio ->
std.file ->
std.experimental.checkedint ->
std.experimental.allocator.common ->
std.experimental.allocator*

checkedint should not be having cycles

andralex · 2017-05-23T19:43:11Z

Time to get rid of them static shared this(). #5421

andralex · 2017-05-23T20:43:56Z

#5423, too

andralex

Couple of things that make the code a tad simpler. In fact I'll try to make the changes myself.

andralex · 2017-10-15T14:57:55Z

std/file.d

-    size_t size = 0;
+
+    import std.experimental.checkedint;
+    auto size = checked!Abort(cast(size_t)0);


Abort is the default, please use checked(size_t(0))

andralex · 2017-10-15T14:58:48Z

std/file.d

+    version (unittest)
+        enum BUF_SIZE = 10;     // trigger reallocation code
+    else
+        enum BUF_SIZE = 4096;   // enough for most common case


andralex · 2017-10-15T14:59:10Z

std/file.d

    {
-        auto ptr = cast(wchar*) malloc(wchar.sizeof * n);
+        import std.experimental.checkedint;
+        auto cn = checked!Abort(n);


checked(n)

andralex · 2017-10-15T15:01:36Z

@WalterBright I couldn't edit this PR. Please rebase and mind the review - thx!

JackStouffer · 2018-01-03T18:20:06Z

As this is dead in the water, I've revived the changes here: #5990

9il added the overflow label Aug 5, 2016

MartinNowak reviewed Aug 6, 2016
View reviewed changes

JackStouffer added the Review:Needs Decision label Jan 18, 2017

WalterBright force-pushed the file-overflow branch from 96e9587 to a26eca8 Compare May 20, 2017 20:21

andralex requested changes May 20, 2017

View reviewed changes

andralex removed the Review:Needs Decision label May 20, 2017

WalterBright force-pushed the file-overflow branch from a26eca8 to d24de8f Compare May 21, 2017 00:24

andralex approved these changes May 21, 2017

View reviewed changes

andralex added the Merge:auto-merge label May 21, 2017

WalterBright force-pushed the file-overflow branch from d24de8f to 5ad1800 Compare May 21, 2017 00:31

dlang-bot removed the Merge:auto-merge label May 21, 2017

file.d: add overflow checks

85eb47b

WalterBright force-pushed the file-overflow branch from 5ad1800 to 85eb47b Compare May 21, 2017 00:35

WalterBright mentioned this pull request May 21, 2017

implement DIP1008 enabling @nogc for 'throw new Throwable;' dlang/dmd#6681

Merged

dlang-bot added the Review:Needs Work label Jun 23, 2017

andralex reviewed Oct 15, 2017

View reviewed changes

dlang-bot added the Merge:Needs Rebase label Dec 29, 2017

JackStouffer mentioned this pull request Jan 3, 2018

file.d: add overflow checks #5990

Merged

JackStouffer closed this Jan 3, 2018

Uh oh!

Conversation

WalterBright commented Aug 4, 2016

Uh oh!

MartinNowak Aug 6, 2016

Choose a reason for hiding this comment

Uh oh!

WalterBright May 20, 2017

Choose a reason for hiding this comment

Uh oh!

MartinNowak commented Aug 8, 2016

Uh oh!

MartinNowak commented Aug 8, 2016

Uh oh!

MartinNowak commented Aug 8, 2016

Uh oh!

schveiguy commented Aug 9, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

JackStouffer commented Aug 9, 2016

Uh oh!

andralex left a comment

Choose a reason for hiding this comment

Uh oh!

JackStouffer commented May 20, 2017

Uh oh!

andralex commented May 20, 2017

Uh oh!

dnadlinger commented May 20, 2017

Uh oh!

WalterBright commented May 21, 2017

Uh oh!

WalterBright commented May 21, 2017

Uh oh!

andralex commented May 23, 2017

Uh oh!

andralex commented May 23, 2017

Uh oh!

andralex left a comment

Choose a reason for hiding this comment

Uh oh!

andralex Oct 15, 2017

Choose a reason for hiding this comment

Uh oh!

andralex Oct 15, 2017

Choose a reason for hiding this comment

Uh oh!

andralex Oct 15, 2017

Choose a reason for hiding this comment

Uh oh!

andralex commented Oct 15, 2017

Uh oh!

JackStouffer commented Jan 3, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

schveiguy commented Aug 9, 2016 •

edited

Loading