Make sure that statements such as: strcpy (dst, "/gnu/store/…"); or static const char str[] = "/gnu/store/…"; … strcpy (dst, str); do not result in chunked /gnu/store strings that are undetectable by Guix's GC and its grafting code. See and . diff --git a/gcc/builtins.c b/gcc/builtins.c index d37d73fc4a0..dac33d9d29a 100644 --- a/gcc/builtins.c +++ b/gcc/builtins.c @@ -3282,6 +3282,58 @@ determine_block_size (tree len, rtx len_rtx, GET_MODE_MASK (GET_MODE (len_rtx))); } +extern void debug_tree (tree); + +/* Return true if STR contains the string "/gnu/store". */ + +bool +store_reference_p (tree str) +{ + if (getenv ("GUIX_GCC_DEBUG") != NULL) + debug_tree (str); + + if (TREE_CODE (str) == ADDR_EXPR) + str = TREE_OPERAND (str, 0); + + if (TREE_CODE (str) == VAR_DECL + && TREE_STATIC (str) + && TREE_READONLY (str)) + { + /* STR may be a 'static const' variable whose initial value + is a string constant. See . */ + str = DECL_INITIAL (str); + if (str == NULL_TREE) + return false; + } + + if (TREE_CODE (str) != STRING_CST) + return false; + + int len; + const char *store; + + store = getenv ("NIX_STORE") ? getenv ("NIX_STORE") : "/gnu/store"; + len = strlen (store); + + /* Size of the hash part of store file names, including leading slash and + trailing hyphen. */ + const int hash_len = 34; + + if (TREE_STRING_LENGTH (str) < len + hash_len) + return false; + + /* We cannot use 'strstr' because 'TREE_STRING_POINTER' returns a string + that is not necessarily NUL-terminated. */ + + for (int i = 0; i < TREE_STRING_LENGTH (str) - (len + hash_len); i++) + { + if (strncmp (TREE_STRING_POINTER (str) + i, store, len) == 0) + return true; + } + + return false; +} + /* Try to verify that the sizes and lengths of the arguments to a string manipulation function given by EXP are within valid bounds and that the operation does not lead to buffer overflow or read past the end. @@ -3839,6 +3891,13 @@ expand_builtin_memory_copy_args (tree dest, tree src, tree len, unsigned HOST_WIDE_INT max_size; unsigned HOST_WIDE_INT probable_max_size; + /* Do not emit block moves, which translate to the 'movabs' instruction on + x86_64, when SRC refers to store items. That way, store references + remain visible to the Guix GC and grafting code. See + . */ + if (store_reference_p (src)) + return NULL_RTX; + /* If DEST is not a pointer type, call the normal function. */ if (dest_align == 0) return NULL_RTX; diff --git a/gcc/gimple-fold.c b/gcc/gimple-fold.c index f30818042ee..56b592f9335 100644 --- a/gcc/gimple-fold.c +++ b/gcc/gimple-fold.c @@ -656,6 +656,8 @@ var_decl_component_p (tree var) && TREE_CODE (TREE_OPERAND (inner, 0)) == ADDR_EXPR)); } +extern bool store_reference_p (tree); + /* Return TRUE if the SIZE argument, representing the size of an object, is in a range of values of which exactly zero is valid. */ @@ -748,6 +750,9 @@ gimple_fold_builtin_memory_op (gimple_stmt_iterator *gsi, off0 = build_int_cst (build_pointer_type_for_mode (char_type_node, ptr_mode, true), 0); + if (store_reference_p (src)) + return false; + /* If we can perform the copy efficiently with first doing all loads and then all stores inline it that way. Currently efficiently means that we can load all the memory into a single integer ='2023-04-21 16:16:38 +0200'>2023-04-21tests: Fix checks for expected failures....Addresses <https://issues.guix.gnu.org/62406>. With 'set -e', a return status inverted with '!' does not cause the shell to exit immediately. Instead use '&& false' to indicate an expected failure. * tests/guix-archive.sh, tests/guix-build-branch.sh, tests/guix-build.sh, tests/guix-daemon.sh, tests/guix-download.sh, tests/guix-environment-container.sh, tests/guix-environment.sh, tests/guix-gc.sh, tests/guix-git-authenticate.sh, tests/guix-graph.sh, tests/guix-hash.sh, tests/guix-home.sh, tests/guix-pack-relocatable.sh, tests/guix-pack.sh, tests/guix-package-aliases.sh, tests/guix-package-net.sh, tests/guix-package.sh, tests/guix-refresh.sh, tests/guix-shell.sh, tests/guix-style.sh, tests/guix-system.sh: Replace uses of '! ...' with '... && false' or `test ! ...` as appropriate. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Eric Bavier 2022-02-14git-authenticate: Ensure the target is a descendant of the introductory commit....Fixes a bug whereby authentication of a commit *not* descending from the introductory commit could succeed, provided the commit verifies the authorization invariant. In the example below, A is a common ancestor of the introductory commit I and of commit X. Authentication of X would succeed, even though it is not a descendant of I, as long as X is authorized according to the '.guix-authorizations' in A: X I \ / A This is because, 'authenticate-repository' would not check whether X descends from I, and the call (commit-difference X I) would return X. In practice that only affects forks because it means that ancestors of the introductory commit already contain a '.guix-authorizations' file. * guix/git-authenticate.scm (authenticate-repository): Add call to 'commit-descendant?'. * tests/channels.scm ("authenticate-channel, not a descendant of introductory commit"): New test. * tests/git-authenticate.scm ("authenticate-repository, target not a descendant of intro"): New test. * tests/guix-git-authenticate.sh: Expect earlier test to fail since 9549f0283a78fe36f2d4ff2a04ef8ad6b0c02604 is not a descendant of $intro_commit. Add new test targeting an ancestor of the introductory commit, and another test targeting the v1.2.0 commit. * doc/guix.texi (Specifying Channel Authorizations): Add a sentence. Ludovic Courtès