Check that VERIFY_CHECK is side-effect free

Author: sipa

build-aux/m4/bitcoin_secp.m4

@@ -9,6 +9,37 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 AC_MSG_RESULT([$has_64bit_asm])
 ])
 
+AC_DEFUN([SECP_CHECK_SIDE_EFFECT_FREE],[
+AC_MSG_CHECKING(whether compiler detects side effect free statements)
+AC_LINK_IFELSE([AC_LANG_SOURCE([[
+  #include <stdlib.h>
+  static int my_memcmp(const void *s1, const void *s2, size_t n) {
+    const unsigned char *p1 = s1, *p2 = s2;
+    size_t i;
+    for (i = 0; i < n; i++) {
+        int diff = p1[i] - p2[i];
+        if (diff != 0) {
+            return diff;
+        }
+    }
+    return 0;
+  }
+
+  static int side_effect_free(int val, const int* ptr) {
+      static const unsigned char foo[32] = {1,2,3};
+      if (!my_memcmp(ptr, foo, val)) return 0;
+      return (((val + 13) * ptr[0] ^ 7) * ptr[ptr[1]] / 11) * (int)ptr == 0;
+  }
+
+  extern int should_not_survive;
+  int main(int argc, char** argv) {
+      (void)(should_not_survive || side_effect_free(argc, (const int*)argv));
+      return 0;
+  }
+  ]])],[has_check_side_effect_free=yes],[has_check_side_effect_free=no])
+AC_MSG_RESULT([$has_check_side_effect_free])
+])
+
 dnl
 AC_DEFUN([SECP_OPENSSL_CHECK],[
   has_libcrypto=no

configure.ac

@@ -155,6 +155,11 @@ AC_ARG_ENABLE(external_default_callbacks,
     [use_external_default_callbacks=$enableval],
     [use_external_default_callbacks=no])
 
+AC_ARG_ENABLE(side_effect_free_check,
+    AS_HELP_STRING([--enable-side-effect-free-check],[enable checking assertions are side-effect free (yes/no/auto) [default=no]]),
+    [use_side_effect_free_check=$enableval],
+    [use_side_effect_free_check=no])
+
 # Test-only override of the (autodetected by the C code) "widemul" setting.
 # Legal values are int64 (for [u]int64_t), int128 (for [unsigned] __int128), and auto (the default).
 AC_ARG_WITH([test-override-wide-multiply], [] ,[set_widemul=$withval], [set_widemul=auto])
@@ -210,6 +215,18 @@ else
     CFLAGS="-O2 $CFLAGS"
 fi
 
+set_check_side_effect_free=no
+if test x"$use_side_effect_free_check" != x"no"; then
+  SECP_CHECK_SIDE_EFFECT_FREE
+  if test x"$has_check_side_effect_free" = x"yes"; then
+    set_check_side_effect_free=yes
+  else
+    if test x"$use_side_effect_free_check" != x"auto"; then
+      AC_MSG_ERROR([Side effect free checking requested but not compatible with compiler])
+    fi
+  fi
+fi
+
 if test x"$req_asm" = x"auto"; then
   SECP_64BIT_ASM_CHECK
   if test x"$has_64bit_asm" = x"yes"; then
@@ -258,6 +275,16 @@ if test x"$use_external_asm" = x"yes"; then
   AC_DEFINE(USE_EXTERNAL_ASM, 1, [Define this symbol if an external (non-inline) assembly implementation is used])
 fi
 
+case $set_check_side_effect_free in
+yes)
+  AC_DEFINE(CHECK_SIDE_EFFECT_FREE, 1, [Define this symbol to enable checks for side-effect free statements])
+  ;;
+no)
+  ;;
+*)
+  AC_MSG_ERROR([invalid selection for check_side_effect_free])
+  ;;
+esac
 
 # Select wide multiplication implementation
 case $set_widemul in

src/util.h

@@ -57,26 +57,38 @@ static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *
 } while(0)
 #endif
 
-/* VERIFY_CHECK is like assert(), but gated by -DVERIFY, and always
- * evaluated (even without -DVERIFY) to minimize differences between
- * the two modes if conditions with side effects are accidentally
- * included.
+#ifdef CHECK_SIDE_EFFECT_FREE
+/* When our compiler is capable to optimizing away references to variables
+ * that control execution of a side-effect free statement, use this to
+ * check that VERIFY_CHECK conditions are safe.
+ *
+ * Credit to: https://stackoverflow.com/a/35294344 */
+extern int secp256k1_not_supposed_to_survive;
+#define ASSERT_NO_SIDE_EFFECT(cond) do { (void)(secp256k1_not_supposed_to_survive || (cond)); } while(0)
+#else
+/* If we can't use that, just run it in an unexecuted branch, to make sure it is still
+ * syntactically valid. */
+#define ASSERT_NO_SIDE_EFFECT(cond) do { if (0) { (void)(cond); } } while(0)
+#endif
+
+/* VERIFY_CHECK is like assert(), but gated by -DVERIFY, and verified for
+ * side effect-freeness under -DCHECK_SIDE_EFFECT_FREE.
  *
  * VERIFY_CHECK_ONLY is similar, but less safe: it has no effect outside
  * of -DVERIFY, and thus can be used with expensive conditions, or even
  * conditions that wouldn't compile outside -DVERIFY). */
 #if defined(COVERAGE)
-#define VERIFY_CHECK(check)
-#define VERIFY_CHECK_ONLY(check)
-#define VERIFY_SETUP(stmt)
+#  define VERIFY_CHECK(check)
+#  define VERIFY_CHECK_ONLY(check)
+#  define VERIFY_SETUP(stmt)
 #elif defined(VERIFY)
-#define VERIFY_CHECK CHECK
-#define VERIFY_CHECK_ONLY CHECK
-#define VERIFY_SETUP(stmt) do { stmt; } while(0)
+#  define VERIFY_CHECK(cond) do { ASSERT_NO_SIDE_EFFECT(cond); CHECK(cond); } while (0)
+#  define VERIFY_CHECK_ONLY CHECK
+#  define VERIFY_SETUP(stmt) do { stmt; } while(0)
 #else
-#define VERIFY_CHECK(cond) do { (void)(cond); } while(0)
-#define VERIFY_CHECK_ONLY(cond)
-#define VERIFY_SETUP(stmt)
+#  define VERIFY_CHECK(cond) do { ASSERT_NO_SIDE_EFFECT(cond); } while (0)
+#  define VERIFY_CHECK_ONLY(cond)
+#  define VERIFY_SETUP(stmt)
 #endif
 
 /* Define `VG_UNDEF` and `VG_CHECK` when VALGRIND is defined  */