--PK
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFA1CWu73s0T9y-E7NFxicJzvBmbKb6h%2BXJGujiY1_S3eA%40mail.gmail.com.
On Tue, Mar 21, 2023 at 10:05 PM 'Peter Kasting' via cxx <c...@chromium.org> wrote:On Tue, Mar 21, 2023 at 6:22 PM David Benjamin <davi...@chromium.org> wrote:After we've enabled libc++'s safe mode, and updated past https://reviews.llvm.org/D145981, I believe libc++ now contains every safety check currently contained in absl::string_view and base::StringPiece. (See CL descriptions in links below for a breakdown.) I'd like to discuss switching one or both types to std::string_view.I put together some notes here, and some links to CLs:Pros:
- -90KiB binary
- 2 -> 1 vocabulary types (simplifies things if we ever re-fork someday)
- Stricter about ADL and (eventually) IWYU
- Kills StringPieceHash
Cons:
- Would require re-forking if in the future we want to change string_view in a way that cannot be upstreamed to libc++
IMO, clear win, +1We have no means to use raw_ptr in std::string_view, do we?
(Somewhat of a tangent, but are we expecting to use raw_ptr for stack variables? I would guess most StringPieces are on the stack, rather than on the heap. Putting raw_ptr in there would mean applying it to a bunch of stack values.)
David
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFBDoG_kE2s0K0VH9QvqjtJsR%2BJFjmLtZji9jt_aVqGk2g%40mail.gmail.com.
On Tue, Mar 21, 2023 at 6:22 PM David Benjamin <davi...@chromium.org> wrote:After we've enabled libc++'s safe mode, and updated past https://reviews.llvm.org/D145981, I believe libc++ now contains every safety check currently contained in absl::string_view and base::StringPiece. (See CL descriptions in links below for a breakdown.) I'd like to discuss switching one or both types to std::string_view.I put together some notes here, and some links to CLs:Pros:
- -90KiB binary
- 2 -> 1 vocabulary types (simplifies things if we ever re-fork someday)
- Stricter about ADL and (eventually) IWYU
- Kills StringPieceHash
Cons:
- Would require re-forking if in the future we want to change string_view in a way that cannot be upstreamed to libc++
IMO, clear win, +1PK
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFA1CWu73s0T9y-E7NFxicJzvBmbKb6h%2BXJGujiY1_S3eA%40mail.gmail.com.
Roland Bock
Software Engineering Manager
Google Germany GmbH
Erika-Mann-Straße 33
80636 München
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFDsbNTH%2Bknn2k88EyTvaXjmQsOj_CG6kRj8sKKtn0ne2A%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAHtyhaR466w2B-1TPsvdTd9ZtYMmXm6wYDxUe02GJak17hZKMA%40mail.gmail.com.
That means string_view should be roughly similar to StringPiece for Google Chrome, though not for all Chromiums.
While libc++ gives us some room to do things internally, they do not allow us to change API. Any small API change would require first the large burden of (re-)introducing a different first-party type after this change.
I am not in favour of giving away our leverage over our vocabulary types as a general principle given:- how the standards committee is treating safety,- the commitment to 100% backward compat from the committee,- the fact that while we sometimes act otherwise, libc++ is not actually part of Chromium.
On Wed, Apr 5, 2023 at 11:46 AM <dan...@chromium.org> wrote:That means string_view should be roughly similar to StringPiece for Google Chrome, though not for all Chromiums.I'm not sure what the last clause here means. I'm assuming this has something to do with the libc++ vs. libstdc++ distinction; maybe "libstdc++ may not be built with similar hardening asserts"? It's possible libstdc++ has assertions like libc++'s, and that we should tweak our .gn files so that if people are linking with that we #define the relevant things by default. I do think that since gcc/libstdc++ are "community-supported" that this falls into the "we would take patches for this but wouldn't necessarily do it ourselves" bucket, and transitively, I think that means we shouldn't have it as a factor to _not_ use libc++ here.
This proposal feels a bit stalled and I'd like to try to reach a conclusion.
- Migrate StringPiece to a new repo, assuming BoringSSL, QUICHE, etc. can depend on it. (Need answers to policy, plan, maintenance)
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFDOMkLi%3Dv3Qm4M9v3tyr%3Dzam_U2xiPe3LxyzUAY2ThkOQ%40mail.gmail.com.
I feel like that repo would have to be Abseil, since that's what all other Google C++ projects use for their vocabulary types.
For string_view, I feel like the ship has sailed when StringPiece -> string_view migration was decided.
That said, I'm happy to accept a library, including an implementation of `std`, that can pass whatever security and/or efficiency tests we deem necessary. Passing the tests may be contingent on aspects of build configuration, as with libc++ and Abseil. That is OK as long as we ship to production only with the passing build configuration.
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAZdMaesTMegFxFKQdf0RT5VzNwgS80_UMiLLvTCn65FqfV%3DAQ%40mail.gmail.com.
Two questions for clarity:On Thu, Apr 6, 2023 at 12:13 PM Victor Vasiliev <vas...@google.com> wrote:I feel like that repo would have to be Abseil, since that's what all other Google C++ projects use for their vocabulary types.Can you define "have to be"? Is this "would be a good idea" or "my project formally cannot take a dependency on a vocabulary type repo that is not Abseil"? I don't think anyone would contest that Abseil would be a nice place to have various things, but it also has many non-Chromium consumers (and goals, and OWNERS), and it's not clear it's a much better solution for Dana/Chris' concerns than the STL implementations.
For string_view, I feel like the ship has sailed when StringPiece -> string_view migration was decided.You mean, the Google StringPiece -> Abseil string_view internal migration? Note that internally Google is already using the "absl::string_view is just a wrapper for std::string_view" route, while for the non-wrapper impl Abseil differs from std:: in ways Chromium can't work with (e.g. not based on a basic_string_view so no string16_view). Abseil is willing to consider a reimplementation of absl::string_view that is more like base::StringPiece, but to date we've not considered making that happen to be worth the effort (since it would require supporting all compilers and C++ versions Abseil supports).
I want to avoid us ratholing on the hardening issue.
Hardening the implementation of stdlibs prevents some bugs but it does not go far enough because the APIs are fixed in time and cause UB, or cause significant performance cost to catch UB which we can not pay. Having control of our APIs allows us to consider and make changes that improve our software development from a security and stability perspective that we could not otherwise.
(Sorry for the late response, I've been OOO.)So, I started this thread to talk about two things:1. Make absl::string_view a typedef for std::string_view2. Make base::StringPiece a typedef for std::string_viewI'd hoped to do them together to avoid the extra work of setting up an intermediate state, but it sounds like (2) is a bit controversial. :-) I don't think anything said in the thread so far applies to absl::string_view. Does anyone have a reason not to do (1)? If not, I'll polish off https://crrev.com/c/4295063Okay, onto the more exciting one. :-)Strong agreement to focus on std::string_view here. The STL isn't uniform, and our decisions on it should not be uniform. Many considerations are common---the cost of forked vocabulary types vs. the costs of staying within the constraints the STL imposes---but those costs will vary by the type. Something like string_view will appear at API boundaries far more often than unordered_map. STL APIs also vary in what API mistakes they've made. string_view is "just" manipulating a ptr/len pair, while unordered_map and deque made some unfortunate pointer stability promises.This is a trade-off between costs. The broader STL context is useful to have in mind, but we need to get back to specifics when we evaluate these tradeoffs. For specifically std::string_view, provided we enable hardening to fix the spatial safety UB (which we've done), I'd argue there's not a whole lot of constraints we're incurring. Conversely, std::string_view is very, very much an API boundary type, so the costs of forking it are higher than most STL types. Moreover, unlike span, string_view/StringPiece cannot be constructed out of any container with data()/size(), so different string_view implementations do not implicitly convert between each other the way spans do.
Conversely, I'm not proposing that we replace base::Time with std::chrono. :-)To respond to a few things up the thread:> or consider pushing some vocab types into a third_party library, as these feel like more durable strategies to me.That may help some external libraries, but not all. Adding dependencies gets more expensive the deeper in the dep tree you are. For BoringSSL, where we're moving Chromium's certificate verifier, we're used in enough places that I cannot see us depending on such a library. We don't even depend on Abseil right now, and that'd be the easiest dep for us to add, due to how much Google stuff already uses it. It sounds like QUICHE would face similar tensions.> In the meantime, here are not-mutually-exclusive actions we could take:
> * Fix the ADL and IWYU errors we can identify.
> * Use NOINLINE and/or generalized inliner heuristic improvements/flag changes to replicate the std:: binary size win.
> * Change our .gn flags and instructions to enable libstdc++ hardening. Maybe run tests/set up bots to ensure we get the same level/quality of hardening as libc++.
> * Migrate to the std:: type but leave everything as a Chromium-side type alias to facilitate later forking.
> * Build string_view_for_fields that uses raw_ptr<>, and rewrite field usage of string_view.
> * Work with libc++ upstream (possibly also libstdc++ upstream) to propose/implement MiraclePtr support. (Needs answers to cost/benefit, "who does the work", "what's the timeframe")
> * Migrate StringPiece to a new repo, assuming BoringSSL, QUICHE, etc. can depend on it. (Need answers to policy, plan, maintenance)
> David, you're driving. What are you willing to do? What are you willing to do if you had help?The work I've done so far was mostly out of some procrastinating. I probably need to limit the additional time I spend on this. :-)I've fixed the ADL issues already. I'm happy to migrate but leave the Chromium-side type alias if that's what folks want. Though it seems an odd compromise to me. Also happy to enable libstdc++ hardening. We won't have automated testing, but that's our baseline for libstdc++ anyway. Beyond that, I would suggest a few other not-mutally-exclusive actions first:- Switch absl::string_view to std::string_view.- Instead of renaming base/strings/abseil_string_conversions.h to std_string_conversions.h or so, add implicit base::StringPiece::StringPiece(std::string_view) and base::StringPiece::operator std::string_view() conversions. This will help with some of the costs of the forked vocabulary type. (Though it doesn't eliminate them. If every project had its own string_view, it doesn't work. We're assuming the boundaries are always std::string_view, and that Chromium is an outlier in forking.)
Happy to do one or both of these if there is agreement to do it.> Hardening the implementation of stdlibs prevents some bugs but it does not go far enough because the APIs are fixed in time and cause UB, or cause significant performance cost to catch UB which we can not pay. Having control of our APIs allows us to consider and make changes that improve our software development from a security and stability perspective that we could not otherwise. For instance our span constructors take a StrictNumeric<size_t> instead of a size_t, in order to catch signed integer conversions and prevent bugs at compile time. That's one of the smallest possible API changes you can imagine, but we can't do that in libc++.The size_t conversion problem is actually one where, in two different ways, the problem we want to solve is perfectly compatible with using the STL, just not that exact solution. It's not really an API change.base::StringPiece already briefly took a CheckedNumeric<size_t> in https://crrev.com/c/4021423. But we can get the same thing without it, done in https://crrev.com/c/4300852. absl::string_view even already had that check. (They actually had it before we did, so we'd have avoided some issues had we used absl instead of base. :-) )libc++ did not have this check, but adding it was just a one line change (plus test). I landed that upstream in https://reviews.llvm.org/D145981, and it is already in Chromium. This worked because that check is API-compatible with std::string_view. std::string_view says the num characters from ptr must be valid (same as absl::string_view and base:::StringPiece. That requirement is fundamental any string-view type that accepts bare pointers), and any size_t with the high bit set cannot satisfy this requirement due to C's pointer arithmetic rules.Now, that is just CheckedNumeric. StrictNumeric is a bit more interesting. (Keep in mind that, per https://chromium-review.googlesource.com/c/chromium/src/+/4300852/comment/9a338370_b6d6e241/, we can't actually get to StrictNumeric<size_t> in base::StringPiece right now anyway.) This is ultimately about preventing C/C++'s excessive implicit integer conversions. This language bug affects more than just StringPiece, and violations are pervasive in Chromium, so we need strategies to apply the diagnostic to avoid a long slog. StrictNumeric<T> is one such strategy. But since we ultimately just want to act as if this existing warning were enabled, this is really API-compatible. std::string_view over base::StringPiece means more work to divide up responsibilities across Chromium, Clang, and libc++, but it's not fundamentally impossible. (E.g. we could add a way to target the warning in Clang. Or we could just carry a patch. We'd only need to patch 3p code as much as we'd have to for the warning anyway. Or we could find a way to do it, such as an attribute, that would be palatable to upstream libc++.)
On Thu, Apr 6, 2023 at 8:31 PM Chris Palmer <pal...@chromium.org> wrote:Yes, that is correct.(To be clear, it's my fall-back position: I do believe, for reasons like those Dana gives, that migrating away from `std::*` might likely come sooner rather than later.)But, as you say, for the moment let's worry about `string_view` specifically. I can live with a hardened and tested `std::string_view`. :)On Thu, Apr 6, 2023 at 12:37 PM Peter Kasting <pkas...@google.com> wrote:On Thu, Apr 6, 2023 at 12:28 PM Chris Palmer <pal...@chromium.org> wrote:That said, I'm happy to accept a library, including an implementation of `std`, that can pass whatever security and/or efficiency tests we deem necessary. Passing the tests may be contingent on aspects of build configuration, as with libc++ and Abseil. That is OK as long as we ship to production only with the passing build configuration.This sounds like you're saying you'd be OK migrating to std::string_view if we have hardening tests for it (which, AFAIK, we do), Google Chrome (distinct from third-party Chromium builds) passes those tests, and we are willing to migrate away from std::string_view in the future if we decide that we need additional security properties that are impractical to realize in it. Is that correct? If not please clarify :)PK
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAF8qwaDbXT%3DW%3Dgt6xOu%3D-FcN%3DkpBW%3DnN4AuLEH0i9o_GSnndmw%40mail.gmail.com.
I have pondered this this weekend.I think if Dana says there are meaningful security wins possible with our own forked string_view, we should believe it.I wonder whether "possible" and "planned, scheduled" are the same thing. My suspicion is that many areas have possible wins, but some are smaller and lower-priority than others, and this may be one of the latter. It would be good to know how likely we would be to regret using std::string_view in the next two years.The biggest factor I see in this is the cost of changing our minds in the future. Sticking with StringPiece is reasonably easy to reverse later on the Chromium side. People seem to be asserting that using string_view is harder to reverse. I question that assertion. I think using string_view in first_party code ought to be reasonably easy (not fully trivial) to reverse later; it's largely search-and-replace. The main issues I see are:
- Third-party calls that take/return something implicitly converted from/to a string_view
- Third-party APIs that take a string_view*.
- Implementations of third-party abstract interfaces that use string_view.
These seem uncommon and would all have reasonably easy workarounds for the person doing the conversion. I feel as if converting back to StringPiece ought not to take more than a day. What am I missing?
If I am correct and we have escape hatches from either decision, then we can afford to be wrong here. And in that case I would suggest taking the route that has concrete benefits immediately over the route that has potential benefits down the road.PK
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFArQv945BWypsUj-YdN4TqVDvJsrqJoy-QLzht7E84Wdg%40mail.gmail.com.
On Tue, Apr 18, 2023 at 7:10 PM 'Peter Kasting' via cxx <c...@chromium.org> wrote:The biggest factor I see in this is the cost of changing our minds in the future. Sticking with StringPiece is reasonably easy to reverse later on the Chromium side. People seem to be asserting that using string_view is harder to reverse. I question that assertion. I think using string_view in first_party code ought to be reasonably easy (not fully trivial) to reverse later; it's largely search-and-replace. The main issues I see are:
- Third-party calls that take/return something implicitly converted from/to a string_view
- Third-party APIs that take a string_view*.
- Implementations of third-party abstract interfaces that use string_view.
These seem uncommon and would all have reasonably easy workarounds for the person doing the conversion. I feel as if converting back to StringPiece ought not to take more than a day. What am I missing?The hash functions are different. Folks would start using unordered containers with transparent lookup once we have std::string_view.
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAF8qwaCGbZ0EB9AjRGnvETL58y_CuiK-cqeHuawRTqOcZuqhpA%40mail.gmail.com.
The biggest factor I see in this is the cost of changing our minds in the future. Sticking with StringPiece is reasonably easy to reverse later on the Chromium side. People seem to be asserting that using string_view is harder to reverse. I question that assertion. I think using string_view in first_party code ought to be reasonably easy (not fully trivial) to reverse later; it's largely search-and-replace. The main issues I see are:
- Third-party calls that take/return something implicitly converted from/to a string_view
- Third-party APIs that take a string_view*.
- Implementations of third-party abstract interfaces that use string_view.
These seem uncommon and would all have reasonably easy workarounds for the person doing the conversion. I feel as if converting back to StringPiece ought not to take more than a day. What am I missing?