Re: [PATCH] fortify: turn strlen() into an inline function using __builtin_constant_p()

From: Vincent Mailhol
Date: Sat Jan 11 2025 - 09:41:13 EST


On Thu. 9 Jan 2025 at 16:52, Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> wrote:
(...)
> > > * possible for strlen() to be used on compile-time strings for use in
> > > * static initializers (i.e. as a constant expression).
> >
> > ^^ This comment, however, is I think what sinks this patch. Please see
> > commit 67ebc3ab4462 ("fortify: Make sure strlen() may still be used as a
> > constant expression") which required that strlen() not be an inline. I'm
> > pretty sure the build will start failing again (though perhaps only on
> > older GCC versions).
>
> Strange. I tested it with GCC 5.1 on godbolt and it worked fine. After
> more investigation, I only got complains from GCC up to 4.9.4:
>
> https://godbolt.org/z/rW8r74vE3
>
> I also just did a successful defconfig build using GCC 5.4 (sorry, I
> do not have an environment with GCC 5.1).
>
> So, it looks like an issue of the past to me. But in 67ebc3ab4462, the
> minimum compiler version was already 5.1:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/min-tool-version.sh?id=67ebc3ab4462#n20
>
> In the end, I am not sure what was the issue you encountered at that time.
>
> Well, I am not able to reproduce, but if you tell me this is an issue,
> then I can just keep the s/__is_constexpr/__builtin_constant_p/g
> change in v2 and drop the inline function part (thus keeping the
> triple expansion).
>
> Let me know if you still think that having it as a function is a no
> go. In the end, the main purpose here is to get rid of the
> __is_constexpr. Turning the macro into a function still looks slightly
> better to me, but at the end I do not really mind.

Actually, I did more investigation and it is working for some strange
reasons. Whenever the argument of a function named strlen() is a
compile time constant, the compiler (both GCC and clang) will replace
it with the string length on the argument, even if strlen() is
programmed to return something else:

https://godbolt.org/z/nK4b3fnM7

So it is only working because the compiler uses its builtin strlen()
instead of the function we provided.

Actually, we could just do:

extern inline size_t strlen(const char *p)
{
return __fortify_strlen(p);
}

and it would work: the compiler ignores the content whenever p is a
compile time constant ¯\_(ツ)_/¯

Well, all this is really ugly. I will drop the inline function and
send a v2 just with the s/__is_constexpr/__builtin_constant_p/g
replacement.


Yours sincerely,
Vincent Mailhol