CMake: add WITH_STRSIZE_DEBUG option, RNA support #107602
No reviewers
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#107602
Loading…
Reference in New Issue
No description provided.
Delete Branch "ideasman42/blender:pr-debug-strsize"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Support string size debug so it can be used for regular development.
It works be writing values into strings, ensuring the buffer size
given is actually available. Developers can use this with memory
checking tools such as ASAN/valgrind to force an error when
the value used for the size of a buffer is larger than the buffer.
Resolve remaining issue with RNA using BLI_strncpy* in generated
callback functions where the size argument didn't represent the
size of the destination buffer.
This is automatically enabled along with ASAN for the
blender_developer.cmake
configuration.This PR proposes to make
WITH_STRSIZE_DEBUG
a build-time option that developers can keen enabled, similar to ASAN.There have been potential buffer overflows in Blender's code for years, these mostly went by unnoticed as users just didn't trigger with overly long strings, although a some were fairly easy to trigger.
The following issues were detecting using this method:
91325378cb
ff0cf45bc2
ba978e1b68
e462e20e21
Possible Changes
WITH_STRING_SIZE_DEBUG
While I see the point of the patch, I am not so convinced by the solution proposed here.
Having to add such clutter to all RNA string accessors does not really sounds good to me, to say the least. Not to mention that other places in code would most likely need such checks too? Which implies also the need to manually identify such places, etc.
Is there a reason (when the debug option is on) not to e.g. systematically write (or even read actually) the whole allowed size in destination buffer in BLI_string functions? This should trigger ASAN & co just as well, and ensures all code calling BLI_string copy etc. functions is checked for proper buffer maxsizes, without having to manually modify it?
Also, I do not understand the need for the
_nodebug
versions of the BLI_string functions, can you explain more in details?Finally, agree with your notes regarding naming. In fact, could even use a more generic name (
WITH_BUFFER_SIZE_DEBUG
?), and in the future we could have our ownmemcpy
wrapper that would perform the same type of checks too?Yep, it's a judgement call, without something like this - we get on mostly OK, but there is a high chance these kinds of errors get re-introduced and we don't notice ... arguably if we don't notice they can't be that bad. On the other hand, users don't report every bug they run into and if they do, these kinds of errors take time to track down. This patch has the advantage of being able to catch them early, avoiding them to begin with.
It's not all access functions, only ones that call into functions that expect fixed sized buffers.
Not sure what you mean by having to manually modify it. From what your writing, this patch is writing the whole allowed size, so I'm not sure what your suggesting be different.
RNA_property_string_get_alloc
does the following.length = RNA_property_string_length(..)
buf = MEM_mallocN(length + 1)
RNA_property_string_get(..., buf);
This means the buffer length is exactly the size needed.
Then if the internal RNA
_get()
callback uses:BLI_strncpy(buf, id->name + 2, MAX_ID_NAME - 2);
for example, the destination buffer is allocated memory of size:strlen(id->name + 2) + 1
notMAX_ID_NAME - 2
.So the length argument is technically wrong but as the caller is expected to use
strlen
first, it turns out not to matter unlessDEBUG_STRSIZE
is enabled and the full buffer size is written to. If the string weren't nil terminated there would be a difference, but we don't support un-terminated strings frommakesrna.c
(generated code callsstrlen(..)
on these strings so they have to be terminated).This seems fine, I wouldn't mind updating the patch if other issues are resolved and it's generally an acceptable approach.
@ -654,0 +655,4 @@
Ensure string operations on fixed size buffers \
(works well with with \"WITH_COMPILER_ASAN\" & valgrind to detect incorrect buffer size arguments)"
OFF)
mark_as_advanced(WITH_STRSIZE_DEBUG)
Do you think we could enable this in
build_files/cmake/config/blender_developer.cmake
?There is a performance impact, but if ASAN is on as well it's not a big deal I guess.
I'd even consider just always enabling this when ASAN is used, and not even having a CMake option.
Enabled in
blender_developer.cmake
, I'd rather keep it a separate option though for a couple of reasons.@ -738,2 +738,2 @@
"BLI_strncpy" :
"BLI_strncpy_utf8";
"BLI_strncpy_nodebug" :
"BLI_strncpy_utf8_nodebug";
This could always be just
strcpy
I think? Checking the length of the source string does not seem helpful, andvalue
should have the appropriate size.Replaced
BLI_strncpy
&BLI_strncpy_utf8
withstrcpy
, also double checkedBLI_strncpy_utf8
wasn't doing anything besides not copying a partial utf8 character when the string size is limited.The sizes passed to BLI_strncpy have been moved to assertions in debug mode to they remain valid.
@ -1216,7 +1216,13 @@ static StructRNA *rna_wmKeyConfigPref_refine(PointerRNA *ptr)
static void rna_wmKeyMapItem_idname_get(PointerRNA *ptr, char *value)
{
wmKeyMapItem *kmi = ptr->data;
# ifdef DEBUG_STRSIZE
For these cases, I would remove the #ifdef, add a comment instead and always do the extra copy.
This is not performance critical, and in some way I think the code can be considered to be more correct that way.
Done.
8a3b53ed8e
to47e9a4f62c
47e9a4f62c
to0e853e746f
Updated the patch:
*_debug()
versions of string copying functions, use strcpy in RNA.BLI_strncpy
calls from RNA callbacks inmain
, use fixed size buffers in a couple of places.0e853e746f
to57e6dfe122
57e6dfe122
to8b7c31137a
@blender-bot build
8b7c31137a
to16f43c8dcd
Ah, did not know (or remember) that
DEBUG_STRSIZE
was already a thing in existing code... now things make much more sense.Patch LGTM too.
Committed
7f8495c44b
, closing.Pull request closed