Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1335da38f4e1d73df4e7d5fb1e98846e34c9367d^! / . / src / haproxy.c
commit1335da38f4e1d73df4e7d5fb1e98846e34c9367d[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Wed Jul 14 17:54:01 2021 +0200
committerWilly Tarreau <w@1wt.eu>Wed Jul 14 18:50:27 2021 +0200
tree19c1d9a4b2a96328b27c4814cbae2f6dbc19a950
parent0498fa4059c545d9c066db094dff154174e15bca [diff] [blame]
BUILD: add detection of missing important CFLAGS

Modern compilers love to break existing code, and some options detected
at build time (such as -fwrapv) are absolutely critical otherwise some
bad code can be generated.

Given that some users rely on packages that force CFLAGS without being
aware of this and can be hit by runtime bugs, we have to help packagers
figure that they need to be careful about their build options.

The test here consists in detecting correct wrapping of signed integers.
Some of the old code relies on it, and modern compilers recently decided
to break it. It's normally addressed using -fwrapv which users will
rarely enforce in their own flags. Thus it is a good indicator of missing
critical CFLAGS, and it happens to be very easy to detect at run time.
Note that the test uses argc in order to have a variable. While gcc
ignores wrapping even for constants, clang only ignores it for variables.
The way the code is constructed doesn't result in code being emitted for
optimized builds thanks to value range propagation.

This should address GitHub issue #1315, and should be backported to all
stable versions. It may result in instantly breaking binaries that seemed
to work fine (typically the ones suddenly showing a busy loop after a few
weeks of uptime), and require packagers to fix their flags. The vast
majority of distro packages are fine and will not be affected though.

diff --git a/src/haproxy.c b/src/haproxy.c
index de13aba..b5c6a13 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c

@@ -2842,6 +2842,38 @@
 	int err, retry;
 	struct rlimit limit;
 	int pidfd = -1;
+	int intovf = (unsigned char)argc + 1; /* let the compiler know it's strictly positive */
+
+	/* Catch forced CFLAGS that miss 2-complement integer overflow */
+	if (intovf + 0x7FFFFFFF >= intovf) {
+		fprintf(stderr,
+		        "FATAL ERROR: invalid code detected -- cannot go further, please recompile!\n"
+			"The source code was miscompiled by the compiler, which usually indicates that\n"
+			"some of the CFLAGS needed to work around overzealous compiler optimizations\n"
+			"were overwritten at build time. Please do not force CFLAGS, and read Makefile\n"
+			"and INSTALL files to decide on the best way to pass your local build options.\n"
+		        "\nBuild options :"
+#ifdef BUILD_TARGET
+		       "\n  TARGET  = " BUILD_TARGET
+#endif
+#ifdef BUILD_CPU
+		       "\n  CPU     = " BUILD_CPU
+#endif
+#ifdef BUILD_CC
+		       "\n  CC      = " BUILD_CC
+#endif
+#ifdef BUILD_CFLAGS
+		       "\n  CFLAGS  = " BUILD_CFLAGS
+#endif
+#ifdef BUILD_OPTIONS
+		       "\n  OPTIONS = " BUILD_OPTIONS
+#endif
+#ifdef BUILD_DEBUG
+		       "\n  DEBUG   = " BUILD_DEBUG
+#endif
+		       "\n\n");
+		return 1;
+	}
 
 	setvbuf(stdout, NULL, _IONBF, 0);