Commit Graph

65 Commits

Author SHA1 Message Date
riastradh
76d4b81251 Clarify compile-time and run-time arithmetic safety assertions.
This is an experiment with a handful of macros for writing the
checks, most of which are compile-time:

MUL_OK(t, a, b)         Does a*b avoid overflow in type t?
ADD_OK(t, a, b)         Does a + b avoid overflow in type t?
TOOMANY(t, x, b, m)     Are there more than m b-element blocks in x in type t?
                        (I.e., does ceiling(x/b) > m?)

Addenda that might make sense but are not needed here:

MUL(t, a, b, &p)        Set p = a*b and return 0, or return ERANGE if overflow.
ADD(t, a, b, &s)        Set s = a+b and return 0, or return ERANGE if overflow.

Example:

	uint32_t a = ..., b = ..., y = ..., z = ..., x, w;

        /* input validation */
        error = MUL(size_t, a, b, &x);
        if (error)
                fail;
        if (TOOMANY(uint32_t, x, BLKSIZ, MAX_NBLK))
                fail;
        y = HOWMANY(x, BLKSIZ);
        if (z > Z_MAX)
                fail;
        ...
        /* internal computation */
        __CTASSERT(MUL_OK(uint32_t, Z_MAX, MAX_NBLK));
        w = z*y;

Obvious shortcomings:

1. Nothing checks your ctassert matches your subsequent arithmetic.
   (Maybe we could have BOUNDED_MUL(t, x, xmax, y, ymax) with a
   ctassert inside.)

2. Nothing flows the bounds needed by the arithmetic you use back
   into candidate definitions of X_MAX/Y_MAX.

But at least the reviewer's job is only to make sure that (a) the
MUL_OK matches the *, and (b) the bounds in the assertion match the
bounds on the inputs -- in particular, the reviewer need not derive
the bounds from the context, only confirm they are supported by the
paths to it.

This is not meant to be a general-purpose proof assistant, or even a
special-purpose one like gfverif <http://gfverif.cryptojedi.org/>.
Rather, it is an experiment in adding a modicum of compile-time
verification with a simple C API change.

This also is not intended to serve as trapping arithmetic on
overflow.  The goal here is to enable writing the program with
explicit checks on input and compile-time annotations on computation
to gain confident that overflow won't happen in the computation.
2017-07-29 21:04:07 +00:00
riastradh
eeefcaaf18 Omit needless XXX comment. 2017-04-17 00:02:45 +00:00
riastradh
9719b6dc16 Justify the last unjustified assertion here.
Sprinkle a few more assertions to help along the way.

(Actually, it was justified; I just hadn't made explicit the relation
to the value of fdpos that all two callers specify.)
2017-04-16 23:50:40 +00:00
riastradh
9b8e93bfa9 Emphasize that MAX_WINDOW_SIZE is bounded by the maximum uint32_t.
Since we store window sizes in uint32_t, the maximum had better fit
in uint32_t!
2017-04-16 23:43:57 +00:00
riastradh
cab898d0ae Simplify. 2017-03-21 13:56:38 +00:00
christos
f4547403ad need <sys/stat.h> 2017-01-10 21:15:54 +00:00
riastradh
feb61835e6 __diagused, not __unused -- used in an assert. 2016-04-07 23:29:59 +00:00
riastradh
9783666546 Fix vndcompress restart failure fallback when input is a pipe.
Defer seeking the *input* image, or winding it forward, until we are
certain we all ready in the cloop2 output, because when the input
image is a pipe, we don't get a chance to seek back to the beginning
and start from the top instead of restarting.

If restart does fail, don't try to seek the input image back to the
beginning unless we had already tried to seek or wind it forward.

Add some automatic tests for this and related cases.

XXX pullup to netbsd-7, netbsd-6
2014-11-18 03:48:17 +00:00
riastradh
3a07c2a841 Get SIZE_MAX and OFF_MAX straight... 2014-01-25 16:38:15 +00:00
riastradh
482c113d44 Factor out an offtab_compute_window_position routine. 2014-01-25 16:26:17 +00:00
riastradh
0853010545 Fix some more integer overflow/truncation issues.
Arithmetic in C is hard.  Let's go shopping!
2014-01-25 15:31:06 +00:00
christos
115b322731 CID 1164169: integer overflow 2014-01-24 17:30:18 +00:00
joerg
eecb404dbe Mark offtab_bug[x] as dead. 2014-01-23 14:17:05 +00:00
riastradh
380386c8de Fix $NetBSD$ tag. 2014-01-22 14:25:07 +00:00
riastradh
708b399e9d Bump date on vndcompress(1) man page. 2014-01-22 06:18:17 +00:00
riastradh
18fe60ee74 Fix vndcompress man page to reflect default window size. 2014-01-22 06:18:09 +00:00
riastradh
f13ecd80a5 Change vndcompress to use a default window size of 512.
For vnduncompress on nonseekable input, the window size is as large
as it needs to be by default, as before.  Not clear that this is the
right choice -- by default vnduncompress on nonseekable input will
just use unbounded memory unsolicited.
2014-01-22 06:18:00 +00:00
riastradh
120dc04ff6 Document the new vndcompress -w option and nuke BUGS section.
Perhaps vndcompress and vnduncompress ought by default to choose a
limited window size (say, 8192 entries, i.e. 64k bytes, the default
MAXPHYS), and vnduncompress should fall back to an unlimited window
only if the input is nonseekable.
2014-01-22 06:17:51 +00:00
riastradh
a7ef6dc75a Reflect rename of -s' to -b' in the vndcompress man page. 2014-01-22 06:17:42 +00:00
riastradh
dc88592abd Move err1 & errx1 to the end of vnduncompress.c; add __printflike. 2014-01-22 06:17:34 +00:00
riastradh
9aa3cfafcd Rename block size option from -s' to -b'.
Makes more sense and makes it consistent with other utilities such as
pax and pigz.  This vndcompress has never gone out in a release, so
changing the name of the option shouldn't cause too many problems...
2014-01-22 06:17:25 +00:00
riastradh
a4a41d7780 Simplify vndcompress offtab_compute_window_size. 2014-01-22 06:17:16 +00:00
riastradh
a0dfc29413 Fix typo in comment. 2014-01-22 06:17:07 +00:00
riastradh
c803c22d4c Fix up ulimited vndcompress tests and explain what's up with them. 2014-01-22 06:16:59 +00:00
riastradh
02796a4937 Add some simple automatic tests for window sizes. 2014-01-22 06:16:50 +00:00
riastradh
6ae2f589bf Remove silly comment in offtab_reset_write. 2014-01-22 06:16:41 +00:00
riastradh
7dc3ecc300 Window size is now an option; remove XXX comment to the contrary. 2014-01-22 06:16:32 +00:00
riastradh
a3d8273010 Add comment explaining why piperestart.cl2part is allowed to fail. 2014-01-22 06:16:23 +00:00
riastradh
e70e005842 Split guard in offtab_write_window into offtab_maybe_write_window. 2014-01-22 06:16:14 +00:00
riastradh
a3544454a1 Seek if necessary at end of offtab_reset_read.
Fixes vnduncompress with a small window, and makes offtab_reset_read
symmetric with offtab_reset_write.
2014-01-22 06:16:05 +00:00
riastradh
7c5bfcbe34 Add option -w to vnd(un)compress to specify the window size. 2014-01-22 06:15:57 +00:00
riastradh
1c2cd5c047 Add some leading zero digits to the flags. Cosmetic change only. 2014-01-22 06:15:48 +00:00
riastradh
c9b17454f7 Add WARNS=5. 2014-01-22 06:15:39 +00:00
riastradh
5b1eaed138 Judicious (and justified) casts to avoid signed/unsigned comparisons. 2014-01-22 06:15:31 +00:00
riastradh
3e40e9d7d6 Implement machinery for fixed-size windows into the offset table. 2014-01-22 06:15:22 +00:00
riastradh
519e5b52f0 Write offsets in hexadecimal, not decimal. 2014-01-22 06:15:12 +00:00
riastradh
6e96c4ea68 Move block_signals/restore_sigmask to utils.c 2014-01-22 06:15:04 +00:00
riastradh
28c82fe6ee Use write-to-temporary/rename-to-permanent pattern in Makefile. 2014-01-22 06:14:55 +00:00
riastradh
735c239796 Abstract handling of the cloop2 offset table.
Preparation for converting it to use a fixed-size window.
2014-01-22 06:14:46 +00:00
riastradh
b06b564040 Use read_block instead of read in vnduncompress. 2014-01-22 06:14:28 +00:00
riastradh
d99bda47ef Move vndcompress utilities to utils.c. 2014-01-22 06:14:20 +00:00
riastradh
573999a972 Fail if malloc can't allocate offset table. 2014-01-22 06:14:03 +00:00
dholland
7899f1dc15 Remove redundant WARNS=5. 2013-08-11 06:32:13 +00:00
riastradh
31eb87b9b9 Make partial read/write error messages more consistent in vndcompress. 2013-05-06 22:53:24 +00:00
riastradh
4b4929c1fa Add __printflike to vsnprintf_ss. 2013-05-04 15:37:39 +00:00
riz
e3748ff50d 'unsigned long' prints with %lu, not %zu. 2013-05-04 15:27:39 +00:00
riastradh
2552c7f866 Add -l option to synopsis for vndcompress(1) man page. 2013-05-04 14:34:13 +00:00
riastradh
2f16fbbee5 Fix sign-compare in compress_blocks.
Not sure why my builds didn't reveal this one -- they revealed
several others during development.
2013-05-04 14:29:48 +00:00
joerg
72bd42b73b __printflike for vwarnx_ss, __dead for err_ss and errx_ss. 2013-05-04 10:21:27 +00:00
wiz
5d2fa123b0 Sort. Add EXIT STATUS section. 2013-05-04 07:13:23 +00:00