Re: [PATCH] kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()

[Nathan Chancellor <nathan@kernel.org>]

Hi Kees,

On Tue, Mar 11, 2025 at 05:04:40PM -0700, Kees Cook wrote:
> It does seem that using "volatile" isn't going to be sane compared to
> using OPTIMIZER_HIDE_VAR() going forward. Some strange interactions[1]
> with the sanitizers have been observed in the self-test code, so replace
> the logic.
> 
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>
...
> diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
> index 18dcdedf777f..29ffc62a71e3 100644
> --- a/lib/tests/fortify_kunit.c
> +++ b/lib/tests/fortify_kunit.c
...
> @@ -993,8 +1003,11 @@ static void fortify_test_memcmp(struct kunit *test)
>  {
>  	char one[] = "My mind is going ...";
>  	char two[] = "My mind is going ... I can feel it.";
> -	size_t one_len = sizeof(one) + unconst - 1;
> -	size_t two_len = sizeof(two) + unconst - 1;
> +	size_t one_len = sizeof(one) - 1;
> +	size_t two_len = sizeof(two) - 1;
> +
> +	OPTIMIZER_HIDE_VAR(one_len);
> +	OPTIMIZER_HIDE_VAR(two_len);
>  
>  	/* We match the first string (ignoring the %NUL). */
>  	KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);

I am sorry for bringing this up some time after you sent this change, as
I have only now had a chance to actually sit down and understand the
results of my bisect. I am still seeing a __read_overflow error when
building lib/tests/fortify_kunit.o with Fedora's configuration + LTO in
next-20250317, which contains this change. I do not think it is issue
2075, as I can reproduce it without UBSAN enabled altogether. This is
with LLVM 20.1.0.

$ cat kernel/configs/repro.config
CONFIG_FORTIFY_KUNIT_TEST=m
CONFIG_FORTIFY_SOURCE=y
CONFIG_KUNIT=y
# CONFIG_LTO_NONE is not set
CONFIG_LTO_CLANG_THIN=y

# or x86_64
$ make -skj"$(nproc)" ARCH=arm64 LLVM=1 mrproper {def,repro.}config lib/tests/fortify_kunit.o
ld.lld: error: call to __read_overflow marked "dontcall-error": detected read beyond size of object (1st parameter)
make[6]: *** [scripts/Makefile.build:203: lib/tests/fortify_kunit.o] Error 1

Selectively reverting this avoids the problem, which is definitely
odd... Maybe issue 2075 is related more to issue 2077 and this patch
should not be entertained?

Cheers,
Nathan

diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
index 29ffc62a71e3..1164223654ac 100644
--- a/lib/tests/fortify_kunit.c
+++ b/lib/tests/fortify_kunit.c
@@ -411,6 +411,8 @@ struct fortify_padding {
 	char buf[32];
 	unsigned long bytes_after;
 };
+/* Force compiler into not being able to resolve size at compile-time. */
+static volatile int unconst;
 
 static void fortify_test_strlen(struct kunit *test)
 {
@@ -1003,11 +1005,8 @@ static void fortify_test_memcmp(struct kunit *test)
 {
 	char one[] = "My mind is going ...";
 	char two[] = "My mind is going ... I can feel it.";
-	size_t one_len = sizeof(one) - 1;
-	size_t two_len = sizeof(two) - 1;
-
-	OPTIMIZER_HIDE_VAR(one_len);
-	OPTIMIZER_HIDE_VAR(two_len);
+	size_t one_len = sizeof(one) + unconst - 1;
+	size_t two_len = sizeof(two) + unconst - 1;
 
 	/* We match the first string (ignoring the %NUL). */
 	KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);