There are many places where SafeString abuses the meaning of ASSERT. A couple of examples: - AsciiStrToGuid will ASSERT when the length of the passed string is odd - AsciiStrCatS will ASSERT when the appended string does not fit the buffer This is absolutely ridiculous and defeats the purpose of these functions. We cannot pass untrusted data to them in DEBUG builds, as they will ASSERT and halt the CPU. This means that the caller must reimplement half of SafeString to be able to use it, which is simply not worth the effort. Clearly the designers missed something here, as ASSERT is an invariant that implies misuse of the function. It is not a way to perform error checking, this is what e.g. function return code is for. Given how long-standing the problem is and the apparent release of next EDK II stable tag I request this to be addressed in the nearest future. Disabling ASSERT'ions entirely in SAFE_STRING_CONSTRAINT_CHECK calls may cease some use case of other teams. For this reason we suggest to make an enabled by default compile-time PCD that will enable ASSERTIONS. Sample implementation follows: #define SAFE_STRING_CONSTRAINT_CHECK(Expression, Status) \ do { \ if (PcdGetBool (PcdAssertOnSafeStringConstraints)) { \ ASSERT (Expression); \ } \ if (!(Expression)) { \ return Status; \ } \ } while (FALSE) If there are no objections we can submit a patch if necessary, although it may be faster for someone from the core team to make this simple change.
Bug Triage: Jiewen, please have a look and discuss this with the submitter to provide direction for the person who will work on this bug.
Patch submitted: https://edk2.groups.io/g/devel/message/49255 Requesting for merge in edk2-stable2019011.
V2 patch submitted changing the defaults to TRUE to preserve the original behaviour: https://edk2.groups.io/g/devel/message/49327
Actually had some unprintable symbols in the reference link, fixed in V3: https://edk2.groups.io/g/devel/message/49330
Created attachment 421 [details] V3 patch Hrm, the patch is clean, but for some reason mail server (or devel.io) adds "3D" to the link. Attached the raw V3 file to this message just in case.
change owner to vit9696@protonmail.com
* [edk2-devel] [PATCH V4 00/27] Disabling safe string constraint assertions http://mid.mail-archive.com/20200511154121.3878-1-cheptsov@ispras.ru https://edk2.groups.io/g/devel/message/59101 * [edk2-devel] [PATCH V5 00/27] Disabling safe string constraint assertions http://mid.mail-archive.com/20200512170237.19796-1-cheptsov@ispras.ru https://edk2.groups.io/g/devel/message/59310 * [edk2-devel] [PATCH V6 0/1] Disable safe string constraint assertions http://mid.mail-archive.com/20200514092537.29609-1-cheptsov@ispras.ru https://edk2.groups.io/g/devel/message/59524 * [edk2-devel] [PATCH V7 0/1] Disable safe string constraint assertions http://mid.mail-archive.com/20200514173131.38072-1-cheptsov@ispras.ru https://edk2.groups.io/g/devel/message/59578
* [Patch v8 0/2] Disable safe string constraint assertions https://edk2.groups.io/g/devel/message/59916 * [Patch v9 0/2] Disable safe string constraint assertions https://edk2.groups.io/g/devel/message/59993
Final design removes ASSERT() from the SAFE_STRING_CONSTRAINT_CHECK() without a PCD to enable/disable the ASSERT() condition. A DEBUG_VERBOSE message is added if a SAFE_STRING_CONSTRAINT_CHECK() fails. In addition, a unit test is added to verify that no ASSERT()s are triggered when bad inputs are present in a safe string function and that the expected DEBUG_VERBOSE message is generated.
Pull Request: https://github.com/tianocore/edk2/pull/643 Commits: https://github.com/tianocore/edk2/commit/1c877c716038a862e876cac8f0929bab4a96e849 https://github.com/tianocore/edk2/commit/09fe015af9c5d26b99c9f2e775decdf5489b1037
