Add VERIFY_CHECKs and documentation that flags must be 0 or 1 #1783
Conversation
furszy
left a comment
furszy
left a comment
There was a problem hiding this comment.
Wondering if it worth adding a macro for this; something like VERIFY_BOOL_ARG.
There was a problem hiding this comment.
utACK 0a6ebe0
If you want to touch this again: I like "flag must be 0 or 1." because it's so clear. It would be good to add it even to the comments in "If flag is 1..." style.
Weak Concept NACK for the reasons laid out in #1779. There, it was a Concept ~0, but here I deem the value below 0 because we don't even save lines. If we really want to improve this, then let's switch to C99 and use edit: Sorry, Concept NACK. I had typed "Concept ACK" first. |
Flags for constant-time masking rely on the values being exactly 0 or 1 rather than 0 or true. Add VERIFY_CHECKs to enforce in VERIFY builds as a preventative measure and add documentation where relevant.
john-moffett
force-pushed
the
internal_bounds_checks
branch
from
0a6ebe0 to
9fa11a7
Compare
furszy
left a comment
furszy
left a comment
There was a problem hiding this comment.
Wondering if it worth adding a macro for this; something like
VERIFY_BOOL_ARG.Weak Concept NACK for the reasons laid out in #1779. There, it was a Concept ~0, but here I deem the value below 0 because we don't even save lines.
VERIFY_BOOL_ARG(flag)is not simpler to read thanVERIFY_CHECK(flag == 0 || flag == 1). If anything, it's harder to read because it's less explicit (unless you look up the macro).
That's probably because VERIFY_BOOL_ARG is not explicit/readable enough?
My broader thought is that argument checks should come from well-named, established helpers at this point, so we don’t have to keep worrying about the raw checks in every function. We should understand what the function does just by reading its name.
Furthermore, if you push me a bit, I’d even say we should aim for a more generic mechanism for argument validation altogether (some sort of decorator), so validating args becomes a no-brainer entirely.
If we really want to improve this, then let's switch to C99 and use bool. But I'm not sure if I really want to have this discussion. :D
hehe, not planning to go that far. I just think we should focus on what actually matters and minimize the time we spend reviewing malformed input-arg checks.
It's just that spelling out the condition, as in
This is a different direction, of course. If we had macros for almost every type (or even some more clever thing, but that seems difficult in C89), then the tiny disadvantage of Still, the raw checks are mostly easy to read, and they keep the advantage of being very explicit. So I think in the current state of the code base, they make sense. |
3 participants
Flags for constant-time masking rely on the values being exactly
0or1rather than0or true (any nonzero). One function,secp256k1_fe_cmovdocuments andVERIFY_CHECKs this, but most don't.This updates the documentation and adds
VERIFY_CHECKs enforcingflag == 0 || flag == 1for:secp256k1_fe_storage_cmovsecp256k1_gej_cmovsecp256k1_ge_storage_cmovsecp256k1_scalar_cadd_bitsecp256k1_scalar_cond_negatesecp256k1_scalar_cmovsecp256k1_int_cmov