Skip to content

Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode #902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add VERIFY_ONLY_CHECK that only evaluates in VERIFY mode #902

wants to merge 1 commit into from

Conversation

@sipa
Copy link
Contributor

@sipa sipa commented Mar 12, 2021

The VERIFY_CHECK macro still evaluates its argument in non-VERIFY mode, to make sure that in case it has any side effects (intentionally or unintentionally) that are relevant to the code, these also apply in production builds.

This isn't always desirable. If nontrivial functions are invoked inside of them the compiler may be unable to optimize the call out, resulting in performance degradation or even the introduction of non-constant-time behavior where that is unexpected.

This adds a new VERIFY_ONLY_CHECK macro that does not evaluate its argument (it is still compiled inside an if (0) though to guarantee syntactic correctness), for this purpose, and changes some nontrivial calls to use it.

@sipa sipa mentioned this pull request Mar 12, 2021
Merged
@real-or-random
Copy link
Contributor

real-or-random commented Mar 12, 2021

What do you think about this?

extern int not_supposed_to_survive;
#if defined(COVERAGE)
...
#elif defined(VERIFY)
#define VERIFY_CHECK CHECK
#define VERIFY_SETUP(stmt) do { stmt; } while(0)
#else
#define VERIFY_CHECK(cond) do { (void)(not_supposed_to_survive || (cond)); } while(0)
#define VERIFY_SETUP(stmt)
#endif

This a rather hacky but working way to let the compiler error out if it fails to prove that cond has no side-effects. (Taken from https://stackoverflow.com/a/35294344.)

This compiles fine with on current master on clang and gcc with -O1 and higher. Compilations fails when I add a dubious VERIFY_CHECK with a side-effect.

@sipa
Copy link
Contributor Author

sipa commented Mar 12, 2021

@real-or-random Ha, nice!

But I think we'll still want a macro like this for cases where it can't be optimized out? Or do you think all cases now are actually removed?

We'd also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

@real-or-random
Copy link
Contributor

real-or-random commented Mar 12, 2021
edited
Loading

@real-or-random Ha, nice!

But I think we'll still want a macro like this for cases where it can't be optimized out? Or do you think all cases now are actually removed?

I think the fact that master compiles fine with this implies all cases are optimized everywhere.

We'd also need some define to explicitly disable VERIFY_CHECK for -O0 builds.

Indeed.

edit: We also may want to make this conditional on clang/gcc to make sure we don't break compilation for people using obscure compilers.

@sipa sipa mentioned this pull request Mar 12, 2021
Closed
@sipa
Copy link
Contributor Author

sipa commented Mar 12, 2021

@real-or-random See #904.

@sipa
Copy link
Contributor Author

sipa commented Mar 15, 2021

Closing in favor of #904.

@sipa sipa closed this Mar 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sipa @real-or-random