Another one I'd like to check consensus on, before disappearing too far
down the rabbit-hole.
The ap_set_*_slot directive function initializers throw away type safety
completely since you can pass anything to APR_OFFSETOF(x,y) and it's
cast to void * regardless. I've seen one bug because of this in a
third-party module which was using a bool [sizeof(char)] rather than an
int with ap_set_int_slot. r1876823 has another example.
You can get away with "minor" errors like that on little-endian
platforms since the least significant bytes are in the "right" place
even if the type is wrong. So bugs don't show up until customers run
your code on, just as an example, IBM hardware! ;)
I don't see a way to fix all the code with hard-coded APR_OFFSETOF(),
but we can offer some alternative wrapper macros which get rid of
OFFSETOF and check the types at compile-time with some gcc builtin
magic. PoC attached.
The failure will look like this one from the mod_proxy_html case:
In file included from mod_proxy_html.c:55:
/home/jorton/src/asf/httpd-git/include/http_config.h:162:5: error: void value not ignored as it ought to be
162 | __builtin_choose_expr(sizeof(actual) == sizeof(expected), result, (void)0)
| ^~~~~~~~~~~~~~~~~~~~~
/home/jorton/src/asf/httpd-git/include/http_config.h:169:13: note: in expansion of macro ‘AP_INIT_CHECKED_TYPE’
169 | AP_INIT_CHECKED_TYPE(((structname *)0)->fieldname, int, \
| ^~~~~~~~~~~~~~~~~~~~
mod_proxy_html.c:1316:5: note: in expansion of macro ‘AP_INIT_TAKE1_INT_SLOT’
1316 | AP_INIT_TAKE1_INT_SLOT("ProxyHTMLBufSize", proxy_html_conf, bufsz,
| ^~~~~~~~~~~~~~~~~~~~~~
which is not totally obvious but at least it's a failure.
Opinions?
Regards, Joe
down the rabbit-hole.
The ap_set_*_slot directive function initializers throw away type safety
completely since you can pass anything to APR_OFFSETOF(x,y) and it's
cast to void * regardless. I've seen one bug because of this in a
third-party module which was using a bool [sizeof(char)] rather than an
int with ap_set_int_slot. r1876823 has another example.
You can get away with "minor" errors like that on little-endian
platforms since the least significant bytes are in the "right" place
even if the type is wrong. So bugs don't show up until customers run
your code on, just as an example, IBM hardware! ;)
I don't see a way to fix all the code with hard-coded APR_OFFSETOF(),
but we can offer some alternative wrapper macros which get rid of
OFFSETOF and check the types at compile-time with some gcc builtin
magic. PoC attached.
The failure will look like this one from the mod_proxy_html case:
In file included from mod_proxy_html.c:55:
/home/jorton/src/asf/httpd-git/include/http_config.h:162:5: error: void value not ignored as it ought to be
162 | __builtin_choose_expr(sizeof(actual) == sizeof(expected), result, (void)0)
| ^~~~~~~~~~~~~~~~~~~~~
/home/jorton/src/asf/httpd-git/include/http_config.h:169:13: note: in expansion of macro ‘AP_INIT_CHECKED_TYPE’
169 | AP_INIT_CHECKED_TYPE(((structname *)0)->fieldname, int, \
| ^~~~~~~~~~~~~~~~~~~~
mod_proxy_html.c:1316:5: note: in expansion of macro ‘AP_INIT_TAKE1_INT_SLOT’
1316 | AP_INIT_TAKE1_INT_SLOT("ProxyHTMLBufSize", proxy_html_conf, bufsz,
| ^~~~~~~~~~~~~~~~~~~~~~
which is not totally obvious but at least it's a failure.
Opinions?
Regards, Joe
Attached Files:
-
ap_init_type_safety.diff (15.9 KB)