1 // Copyright 2017 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <limits.h>
16 #include <stdint.h>
17 
18 #include <type_traits>
19 
20 #include <gtest/gtest.h>
21 
22 #include "test/test_util.h"
23 
24 namespace {
25 
26 // C and C++ have two forms of unspecified behavior: undefined behavior and
27 // implementation-defined behavior.
28 //
29 // Programs that exhibit undefined behavior are invalid. Compilers are
30 // permitted to, and often do, arbitrarily miscompile them. BoringSSL thus aims
31 // to avoid undefined behavior.
32 //
33 // Implementation-defined behavior is left up to the compiler to define (or
34 // leave undefined). These are often platform-specific details, such as how big
35 // |int| is or how |uintN_t| is implemented. Programs that depend on
36 // implementation-defined behavior are not necessarily invalid, merely less
37 // portable. A compiler that provides some implementation-defined behavior is
38 // not permitted to miscompile code that depends on it.
39 //
40 // C allows a much wider range of platform behaviors than would be practical
41 // for us to support, so we make some assumptions on implementation-defined
42 // behavior. Platforms that violate those assumptions are not supported. This
43 // file aims to document and test these assumptions, so that platforms outside
44 // our scope are flagged.
45 
46 template <typename T>
CheckRepresentation(T value)47 static void CheckRepresentation(T value) {
48   SCOPED_TRACE(value);
49 
50   // Convert to the corresponding two's-complement unsigned value. We use an
51   // unsigned value so the right-shift below has defined value. Right-shifts of
52   // negative numbers in C are implementation defined.
53   //
54   // If |T| is already unsigned, this is a no-op, as desired.
55   //
56   // If |T| is signed, conversion to unsigned is defined to repeatedly add or
57   // subtract (numerically, not within |T|) one more than the unsigned type's
58   // maximum value until it fits (this must be a power of two). This is the
59   // conversion we want.
60   using UnsignedT = typename std::make_unsigned<T>::type;
61   UnsignedT value_u = static_cast<UnsignedT>(value);
62   EXPECT_EQ(sizeof(UnsignedT), sizeof(T));
63 
64   // Integers must be little-endian.
65   uint8_t expected[sizeof(UnsignedT)];
66   for (size_t i = 0; i < sizeof(UnsignedT); i++) {
67     expected[i] = static_cast<uint8_t>(value_u);
68     // Divide instead of right-shift to appease compilers that warn if |T| is a
69     // char. The explicit cast is also needed to appease MSVC if integer
70     // promotion happened.
71     value_u = static_cast<UnsignedT>(value_u / 256);
72   }
73   EXPECT_EQ(0u, value_u);
74 
75   // Check that |value| has the expected representation.
76   EXPECT_EQ(Bytes(expected),
77             Bytes(reinterpret_cast<const uint8_t *>(&value), sizeof(value)));
78 }
79 
TEST(CompilerTest,IntegerRepresentation)80 TEST(CompilerTest, IntegerRepresentation) {
81   static_assert(CHAR_BIT == 8, "BoringSSL only supports 8-bit chars");
82   static_assert(UCHAR_MAX == 0xff, "BoringSSL only supports 8-bit chars");
83 
84   // Require that |unsigned char| and |uint8_t| be the same type. We require
85   // that type-punning through |uint8_t| is not a strict aliasing violation. In
86   // principle, type-punning should be done with |memcpy|, which would make this
87   // moot.
88   //
89   // However, C made too many historical mistakes with the types and signedness
90   // of character strings. As a result, aliasing between all variations on 8-bit
91   // chars are a practical necessity for all real C code. We do not support
92   // toolchains that break this assumption.
93   static_assert(
94       std::is_same<unsigned char, uint8_t>::value,
95       "BoringSSL requires uint8_t and unsigned char be the same type");
96   uint8_t u8 = 0;
97   unsigned char *ptr = &u8;
98   (void)ptr;
99 
100   // Sized integers have the expected size.
101   static_assert(sizeof(uint8_t) == 1u, "uint8_t has the wrong size");
102   static_assert(sizeof(uint16_t) == 2u, "uint16_t has the wrong size");
103   static_assert(sizeof(uint32_t) == 4u, "uint32_t has the wrong size");
104   static_assert(sizeof(uint64_t) == 8u, "uint64_t has the wrong size");
105 
106   // size_t does not exceed uint64_t.
107   static_assert(sizeof(size_t) <= 8u, "size_t must not exceed uint64_t");
108 
109   // Require that |int| be exactly 32 bits. OpenSSL historically mixed up
110   // |unsigned| and |uint32_t|, so we require it be at least 32 bits. Requiring
111   // at most 32-bits is a bit more subtle. C promotes arithemetic operands to
112   // |int| when they fit. But this means, if |int| is 2N bits wide, multiplying
113   // two maximum-sized |uintN_t|s is undefined by integer overflow!
114   //
115   // We attempt to handle this for |uint16_t|, assuming a 32-bit |int|, but we
116   // make no attempts to correct for this with |uint32_t| for a 64-bit |int|.
117   // Thus BoringSSL does not support ILP64 platforms.
118   //
119   // This test is on |INT_MAX| and |INT32_MAX| rather than sizeof because it is
120   // theoretically allowed for sizeof(int) to be 4 but include padding bits.
121   static_assert(INT_MAX == INT32_MAX, "BoringSSL requires int be 32-bit");
122   static_assert(UINT_MAX == UINT32_MAX,
123                 "BoringSSL requires unsigned be 32-bit");
124 
125   CheckRepresentation(static_cast<signed char>(127));
126   CheckRepresentation(static_cast<signed char>(1));
127   CheckRepresentation(static_cast<signed char>(0));
128   CheckRepresentation(static_cast<signed char>(-1));
129   CheckRepresentation(static_cast<signed char>(-42));
130   CheckRepresentation(static_cast<signed char>(-128));
131 
132   CheckRepresentation(static_cast<int>(INT_MAX));
133   CheckRepresentation(static_cast<int>(0x12345678));
134   CheckRepresentation(static_cast<int>(1));
135   CheckRepresentation(static_cast<int>(0));
136   CheckRepresentation(static_cast<int>(-1));
137   CheckRepresentation(static_cast<int>(-0x12345678));
138   CheckRepresentation(static_cast<int>(INT_MIN));
139 
140   CheckRepresentation(static_cast<unsigned>(UINT_MAX));
141   CheckRepresentation(static_cast<unsigned>(0x12345678));
142   CheckRepresentation(static_cast<unsigned>(1));
143   CheckRepresentation(static_cast<unsigned>(0));
144 
145   CheckRepresentation(static_cast<long>(LONG_MAX));
146   CheckRepresentation(static_cast<long>(0x12345678));
147   CheckRepresentation(static_cast<long>(1));
148   CheckRepresentation(static_cast<long>(0));
149   CheckRepresentation(static_cast<long>(-1));
150   CheckRepresentation(static_cast<long>(-0x12345678));
151   CheckRepresentation(static_cast<long>(LONG_MIN));
152 
153   CheckRepresentation(static_cast<unsigned long>(ULONG_MAX));
154   CheckRepresentation(static_cast<unsigned long>(0x12345678));
155   CheckRepresentation(static_cast<unsigned long>(1));
156   CheckRepresentation(static_cast<unsigned long>(0));
157 
158   CheckRepresentation(static_cast<int16_t>(0x7fff));
159   CheckRepresentation(static_cast<int16_t>(0x1234));
160   CheckRepresentation(static_cast<int16_t>(1));
161   CheckRepresentation(static_cast<int16_t>(0));
162   CheckRepresentation(static_cast<int16_t>(-1));
163   CheckRepresentation(static_cast<int16_t>(-0x7fff - 1));
164 
165   CheckRepresentation(static_cast<uint16_t>(0xffff));
166   CheckRepresentation(static_cast<uint16_t>(0x1234));
167   CheckRepresentation(static_cast<uint16_t>(1));
168   CheckRepresentation(static_cast<uint16_t>(0));
169 
170   CheckRepresentation(static_cast<int32_t>(0x7fffffff));
171   CheckRepresentation(static_cast<int32_t>(0x12345678));
172   CheckRepresentation(static_cast<int32_t>(1));
173   CheckRepresentation(static_cast<int32_t>(0));
174   CheckRepresentation(static_cast<int32_t>(-1));
175   CheckRepresentation(static_cast<int32_t>(-0x7fffffff - 1));
176 
177   CheckRepresentation(static_cast<uint32_t>(0xffffffff));
178   CheckRepresentation(static_cast<uint32_t>(0x12345678));
179   CheckRepresentation(static_cast<uint32_t>(1));
180   CheckRepresentation(static_cast<uint32_t>(0));
181 
182   CheckRepresentation(static_cast<int64_t>(0x7fffffffffffffff));
183   CheckRepresentation(static_cast<int64_t>(0x123456789abcdef0));
184   CheckRepresentation(static_cast<int64_t>(1));
185   CheckRepresentation(static_cast<int64_t>(0));
186   CheckRepresentation(static_cast<int64_t>(-1));
187   CheckRepresentation(static_cast<int64_t>(-0x7fffffffffffffff - 1));
188 
189   CheckRepresentation(static_cast<uint64_t>(0xffffffffffffffff));
190   CheckRepresentation(static_cast<uint64_t>(0x12345678abcdef0));
191   CheckRepresentation(static_cast<uint64_t>(1));
192   CheckRepresentation(static_cast<uint64_t>(0));
193 }
194 
TEST(CompilerTest,PointerRepresentation)195 TEST(CompilerTest, PointerRepresentation) {
196   // Converting pointers to integers and doing arithmetic on those values are
197   // both defined. Converting those values back into pointers is undefined,
198   // but, for aliasing checks, we require that the implementation-defined
199   // result of that computation commutes with pointer arithmetic.
200   char chars[256];
201   for (size_t i = 0; i < sizeof(chars); i++) {
202     EXPECT_EQ(reinterpret_cast<uintptr_t>(chars) + i,
203               reinterpret_cast<uintptr_t>(chars + i));
204   }
205 
206   int ints[256];
207   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(ints); i++) {
208     EXPECT_EQ(reinterpret_cast<uintptr_t>(ints) + i * sizeof(int),
209               reinterpret_cast<uintptr_t>(ints + i));
210   }
211 
212   // nullptr must be represented by all zeros in memory. This is necessary so
213   // structs may be initialized by memset(0).
214   int *null = nullptr;
215   uint8_t bytes[sizeof(null)] = {0};
216   EXPECT_EQ(Bytes(bytes),
217             Bytes(reinterpret_cast<uint8_t *>(&null), sizeof(null)));
218 }
219 
aba(uintptr_t * a,void ** b)220 static uintptr_t aba(uintptr_t *a, void **b) {
221   *a = (uintptr_t)1;
222   *b = NULL;
223   return *a;  // 0 if a == b, 1 if a and b are disjoint
224 }
225 
TEST(CompilerTest,NoStrictAliasing)226 TEST(CompilerTest, NoStrictAliasing) {
227   // Sequential memory access must be sequentially consistent across types.
228   // Compilers such as clang and gcc need to be passed -fno-strict-aliasing
229   // for this to remain true at at higher optimization levels. Use with the
230   // opposite configuration, -fstrict-aliasing, is not supported.
231   // Even though some subset of type punning through memory is considered
232   // undefined behavior, the subtlety of exactly which subset that is and the
233   // limited sanitizer-tooling support make it impractical to avoid reliably.
234   uint8_t aliased[sizeof(void *)] = {};
235   uint8_t zeros[sizeof(void *)] = {};
236 
237   OPENSSL_memset(aliased, -1, sizeof(aliased));
238   EXPECT_EQ(aba((uintptr_t *)aliased, (void **)aliased), (uintptr_t)0);
239   EXPECT_EQ(Bytes(aliased), Bytes(zeros));
240 
241   volatile auto volatile_aba = &aba;
242   OPENSSL_memset(aliased, -1, sizeof(aliased));
243   EXPECT_EQ(volatile_aba((uintptr_t *)aliased, (void **)aliased), (uintptr_t)0);
244   EXPECT_EQ(Bytes(aliased), Bytes(zeros));
245 }
246 }  // namespace
247