Pages

Tuesday, December 29, 2009

-D_PLZ_UNFORTIFY_MAH_SOURCE_KTHXBYE

More than five years ago Jakub Jelinek implemented object size checking in GCC. This feature (combined with GLIBC runtime checks) helps to detect many buffer overflows, both compile-time and run-time.  Of course, this brings some limitations to code.

Since then many distibutions (ALT Linux, Gentoo, OpenSUSE, Owl/*/Linux) turned this feature on by default. But there were those who resisted...

In February, 2007 patch from OpenSUSE was offered to Vim developers. Almost immediately it was rejected with resolution "The problem is in the compiler, so fix the compiler".

Now to the funny part.

Patch 7.2.044
Problem: Crash because of STRCPY() being over protective of the destination
size. (Dominique Pelle)
Solution: Add -D_FORTIFY_SOURCE=1 to CFLAGS. Use an intermediate variable
for the pointer to avoid a warning.


Patch 7.2.251 (after 7.2.044)
Problem: Compiler adds invalid memory bounds check.
Solution: Remove _FORTIFY_SOURCE=2 from CFLAGS. (Dominique Pelle)


Patch 7.2.316
Problem: May get multiple _FORTIFY_SOURCE arguments. (Tony Mechelynck)
Solution: First remove all these arguments and then add the one we want.
(Dominique Pelle)


I have a great citation for that case - this "won't solve the problem, only create the illusion that it works".

Heavy New Year, everyone, and double-check code that you intend to use in your usual life.

Monday, December 28, 2009

How's your stable?

Ruby is a nice language, but its community makes me sick.

On December 7, 2009, CVE-2009-4124 was fixed by SVN revision 26038. However, this fix was a bit buggy: #2463. This issue was fixed in trunk by SVN revision 26052 on December 9, 2009.

Now the funny thing. http://www.ruby-lang.org/en/downloads/ says "The current stable version is 1.9.1" and "Ruby 1.9.1-p376 (md5: ebb20550a11e7f1a2fbd6fdec2a3e0a3) Stable Version (recommended)".

For those who still don't get it: neither 1.9.1-p376 nor ruby_1_9_1 branch at all contains fix for #2463. I tried to add another issue, which was immediately closed as "duplicate of #2463".

19 days have passed so far and current recommended stable version still contains bug that nobody cares about. By the way, this bug affects Rails.

Have a nice day.

Tuesday, December 15, 2009

Unit tests? We don't need no stinkin' unit tests!

While packaging ruby-coderay for ALT Linux I ran into problem that tests just fail. Well, this is not really a problem, because we have Ruby 1.9.1 and there may be some obsolete language constructions or encoding issues. In fact, there was two issues that happen only on Ruby 1.9.x - Marshall::dump adds encoding information and output differs from expected. Other seven errors were really funny.

Seven tests fail in CSS section of HTML output. Browsing through revision history brought me to [r332] and [r329], both commited by Upstream Developer around 22 Apr 2009. Patch was obvious and commited in my repo on 29 Jul 2009.

After several months I've decided to update ruby-coderay package. There was another amazing [r372] commited on 18 Oct 2009. And fixed with another obvious patch on 09 Nov 2009.

Since Aplil 2009 only one test was fixed by [r361] on 10 Oct 2009.

Bottom line: test suite for CodeRay project has been broken for almost eight months and nobody gives a fuck. Gosh, I LOVE Free Software!

I told ya!

More than three years ago I've reported an issue about filetype detection in Vim.

Vim tries to detect filetype by file name and contents. If there were no match in builtin rules and file contains #-comment in first several lines, it's filetype is set to "conf". But then it sources additional user-provided filetype detection scripts.

There is :setfiletype command, that sets "the 'filetype' option to {filetype}, but only if not done yet in a sequence of (nested) autocommands", which can not be used for files, those filetype already set to "conf" by this fallback code.

I suggested to move loading of user-provided filetype detection scripts above this fallback code and immediately received replies that I "should never create, delete or modify any file in the $VIMRUNTIME directory tree" and "current method is correct"

Finally, new patch appears. After THREE FUCKING YEARS!

I hate them...

HATE, HATE, HATE!

I really need a place to dump all hate that accumulates inside me from time to time. Readers are allowed to dump all their hate in comments section.