From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Thu, 18 Apr 2019 01:45:43 -0700 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 779DF30254A3; Thu, 18 Apr 2019 08:45:42 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-179.rdu2.redhat.com [10.10.120.179]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F1E35D9D6; Thu, 18 Apr 2019 08:45:41 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE To: Andrew Fish , devel@edk2.groups.io, Mike Kinney Cc: "Gao, Liming" References: <20190412233128.4756-1-lersek@redhat.com> <20190412233128.4756-5-lersek@redhat.com> <6FA88780-622D-4788-BDF8-6C807D85D9D1@apple.com> From: "Laszlo Ersek" Message-ID: Date: Thu, 18 Apr 2019 10:45:40 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <6FA88780-622D-4788-BDF8-6C807D85D9D1@apple.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Thu, 18 Apr 2019 08:45:42 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit On 04/17/19 20:31, Andrew Fish wrote: > I was actually writing a mail to some people that sit on the C/C++ > standards committee that are UB experts to get some clarification when > you sent this mail. [...] > > I'm basically asking if this code pedantic conforms to C99 and C11: > > EFI_COMMON_SECTION_HEADER gSec = { { 0x01, 0x02, 0x3 }, 0x10 }; > > return *(UINT32 *)gSec.Size & 0x00ffffff; I'm really interested as to how they will respond! (Because I think (see up-thread) that the code doesn't conform.) > I ran the clang static analyzer and runtime ubsan on the above code > and it did not complain (I force strict aliasing via > -fstrict-aliasing, and I'm using the Sys V ABI since this is just the > command line compiler on my Mac). Yesterday I tried something similar with both gcc and clang (not recent versions of them, unfortunately), and they were all too happy with the code as well, when I thought they should have flagged it. The options I used were: -fsyntax-only -Wall -Wextra -std=c99 -pedantic \ -fstrict-aliasing -Wstrict-aliasing Beyond that, I checked the documentation of "-fstrict-aliasing" in the gcc manual at . It provides several examples; one of them is: > Similarly, access by taking the address, casting the resulting pointer > and dereferencing the result has undefined behavior, even if the cast > uses a union type, e.g.: > > union a_union { > int i; > double d; > }; > > int f() { > double d = 3.0; > return ((union a_union *) &d)->i; > } I think the access in this example is well defined (I seem able to deduce it using the effective type rules), and so I consider this a bug in the gcc docs. I reached out to someone in the toolchain team at Red Hat to confirm or disprove. Thanks Laszlo