-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL: Multiplication result converted to larger type #245
Comments
OK, I think I can explain this:
The source of the warning are the following 4 multiplications: s4*rr0;
s4*rr1;
s4*rr2;
s4*rr3; Those are pure 32-bit multiplications, because contrary to To silence the warning, you don't need all your conversions, you can be content with those: const u64 x0 = s0*r0+ s1*rr3+ s2*rr2+ s3*rr1+ (u64)s4*rr0; // <= 97ffffe007fffff8
const u64 x1 = s0*r1+ s1*r0 + s2*rr3+ s3*rr2+ (u64)s4*rr1; // <= 8fffffe20ffffff6
const u64 x2 = s0*r2+ s1*r1 + s2*r0 + s3*rr3+ (u64)s4*rr2; // <= 87ffffe417fffff4
const u64 x3 = s0*r3+ s1*r2 + s2*r1 + s3*r0 + (u64)s4*rr3; // <= 7fffffe61ffffff2 This is indeed perfectly safe. My problem here is the performance impact: I've ran the benchmarks ( Now there are two questions:
Thing is, Poly1305, and the bignum arithmetic that goes with it, is incredibly error prone no matter how you cut it. To make sure I caught all edge cases I have written a proof of correctness, and I'm even considering automating the part that shows there is no overflow. You may note that this proof hinges on specific input invariants, that are not enforced by C's type system. So as long as CodeQL only goes by C's type system, it has to warn us. Ideally we'd be able to add annotations that make pinky promises on the range of |
Thank you for the analysis, and the link to the proof. I suspected it was fine, but now I have justification for whatever I decide to do! I've reported this to the CodeQL people in github/codeql#11556, so we'll see what they want to do there. Unfortunately they don't have an inline suppression mechanism, so probably I will just leave a comment for the next person and move on. If adding the cast was free I'd use it, but I see no reason to take a performance hit to silence a warning that only a tiny number of people will see. Thanks for your time, I very much appreciate it! |
OK, closing this as wontfix then. Still, I believe something should be done at some point to assure reviewers and auditors that the current code is okay, despite the scary warnings from the tools. Hence #246. |
A quick update: I have now added a little script that automatically checks the absence of integer overflow in the Poly1305 main loop ( It won't help CodeQL, but this step towards actual formal verification does give some piece of mind. |
I ran CodeQL, a static analysis tool, on monocypher 3.1.3 (more below). It reports "Multiple result converted to large type" on these four lines in
poly1305_blocks
:Adding a pile of casts silences the warnings, and the tests still pass:
I looked at the disassembly of both and they are subtly different, but I don't know enough to know if that's meaningful.
If you think this is a false positive I would be happy to take it up with the CodeQL people myself, but I'd be interested to know if you think the version with the casts is still "safe", as that is likely the workaround I will use for my project.
As for CodeQL, I don't actually know it or use it myself; its an automated Github thing that open source projects can opt in to, and one I am contributing to (see openzfs/zfs#14249) is using it. I am mostly looking to you for guidance here.
Reproduction:
GCC 10.2.1, Linux x86_64.
The text was updated successfully, but these errors were encountered: