Upstream codeql fixes

SECURITY.md

@@ -10,7 +10,7 @@ The following document describes various aspects of the Firedancer security prog
 
 # Bug Bounty Program
 
-Security-relevant bugs in Firedancer v0.1 should be submitted to our [Immunefi bug bounty program](https://immunefi.com/bug-bounty/firedancer/).
+Security-relevant bugs in Firedancer v0.1 should be submitted to our [Immunefi bug bounty program](https://immunefi.com/bug-bounty/Frankendancer/).
 Under the terms and conditions of the program, you may be eligible for a reward.
 
 Code outside the scope of the bug bounty program is still in development.

config/extra/with-arm.mk

@@ -30,7 +30,6 @@ endif
 
 else # CROSS=0
 
-include config/extra/with-ucontext.mk
 include config/extra/with-s2nbignum.mk
 include config/extra/with-blst.mk
 include config/extra/with-zstd.mk

config/extra/with-x86-64.mk

@@ -13,7 +13,6 @@ endif
 # -falign-loops     since Clang/LLVM 13
 
 ifndef FD_NODEPS
-include config/extra/with-ucontext.mk
 include config/extra/with-s2nbignum.mk
 include config/extra/with-blst.mk
 include config/extra/with-zstd.mk

contrib/codeql/lib/filter.qll

@@ -1,7 +1,14 @@
 /**
  * Exclude agave code and whatever else we don't want to analyze.
+ *
+ * In production databases the source root is the repo root, so Firedancer
+ * files have relative paths starting with "src/".  In CodeQL test databases
+ * the source root is the individual test directory, so the test .c files have
+ * bare filenames with no directory component.  Both cases are included.
  */
 import cpp
 predicate included(Location loc) {
-  loc.getFile().getRelativePath().prefix(4) = "src/"
+  loc.getFile().getRelativePath().prefix(4) = "src/" or
+  // Test databases: bare filename with no leading directory.
+  not loc.getFile().getRelativePath().matches("%/%")
 }

contrib/codeql/src/nightly/ImplicitIntegerTruncation.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Implicit integer truncation
+ * @description An integer value is implicitly narrowed to a shorter integer type
+ *              without an explicit cast. This can cause silent data loss.
+ *              Under -Werror=all, GCC 8.3 rejects these conversions even for
+ *              small integer literals (e.g. uchar x[2] = {3,4}).
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id firedancer-io/implicit-integer-truncation
+ * @tags reliability
+ *       correctness
+ *       types
+ */
+
+import cpp
+import filter
+
+/**
+ * Holds if expression `e` is implicitly converted from integral type `fromType`
+ * to the narrower integral type `toType` without an explicit cast.
+ *
+ * Note: integer promotion artifacts are included (e.g. `uchar c = a + b` where
+ * `a + b` has type `int` due to promotion). These may be numerous; add explicit
+ * casts (e.g. `(uchar)(a + b)`) to suppress individual findings.
+ */
+predicate implicitIntegerTruncation(Expr e, IntegralType fromType, IntegralType toType) {
+  not e.hasExplicitConversion() and
+  not e.isInMacroExpansion() and
+  fromType = e.getType().getUnderlyingType() and
+  toType = e.getConversion().getType().getUnderlyingType() and
+  not fromType instanceof BoolType and
+  not toType instanceof BoolType and
+  toType.getSize() < fromType.getSize()
+}
+
+from Expr e, IntegralType fromType, IntegralType toType
+where
+  implicitIntegerTruncation(e, fromType, toType) and
+  included(e.getLocation())
+select e,
+  "Implicit truncation from " + fromType.getName() + " to " + toType.getName() + "."

contrib/codeql/test/query-tests/ImplicitIntegerTruncation/ImplicitIntegerTruncation.c

@@ -0,0 +1,79 @@
+typedef unsigned char uchar;
+typedef unsigned short ushort;
+typedef unsigned int uint;
+typedef unsigned long ulong;
+
+// ── Return-value truncation ────────────────────────────────────────────────
+
+uchar ret_as_uchar(ulong x) {
+    return x; // $ Alert
+}
+
+ushort ret_as_ushort(ulong x) {
+    return x; // $ Alert
+}
+
+uint ret_as_uint(ulong x) {
+    return x; // $ Alert
+}
+
+// ── Variable initialisation ────────────────────────────────────────────────
+
+void init_vars(ulong big) {
+    uchar  a = big;  // $ Alert
+    ushort b = big;  // $ Alert
+    uint   c = big;  // $ Alert
+
+    // Explicit casts – no alert
+    uchar  d = (uchar)big;   // NO Alert
+    ushort e = (ushort)big;  // NO Alert
+    uint   f = (uint)big;    // NO Alert
+
+    // Widening – no alert
+    ulong g = c;             // NO Alert
+    ulong h = b;             // NO Alert
+    ulong i = a;             // NO Alert
+    (void)(d + e + f + g + h + i);
+}
+
+// ── Integer literal narrowing (GCC 8.3 compile-failure case) ──────────────
+// int literals are widened to `int` by the C standard before assignment,
+// which is an implicit truncation to `uchar`/`ushort`.
+
+void literal_narrow(void) {
+    uchar  x = 3;    // $ Alert
+    ushort y = 300;  // $ Alert
+    (void)(x + y);
+}
+
+// ── ulong literal narrowing (patterns from real codebase) ─────────────────
+// e.g. `uchar x = 0UL` or `uchar x = 64UL` — ulong suffix makes this a
+// ulong→uchar implicit truncation.
+
+void ulong_literal_narrow(void) {
+    uchar a = 0UL;   // $ Alert
+    uchar b = 64UL;  // $ Alert
+    (void)(a + b);
+}
+
+// ── Function-call argument truncation ─────────────────────────────────────
+
+void takes_ushort(ushort x);
+
+void call_with_ulong(ulong big) {
+    takes_ushort(big); // $ Alert
+}
+
+// ── Struct-member assignment ───────────────────────────────────────────────
+
+struct narrow_fields {
+    ushort x;
+    uchar  y;
+};
+
+void assign_members(ulong big) {
+    struct narrow_fields s;
+    s.x = big;        // $ Alert
+    s.y = big;        // $ Alert
+    s.x = (ushort)big; // NO Alert
+}

contrib/codeql/test/query-tests/ImplicitIntegerTruncation/ImplicitIntegerTruncation.expected

@@ -0,0 +1,13 @@
+| ImplicitIntegerTruncation.c:9:12:9:12 | x | Implicit truncation from unsigned long to unsigned char. |
+| ImplicitIntegerTruncation.c:13:12:13:12 | x | Implicit truncation from unsigned long to unsigned short. |
+| ImplicitIntegerTruncation.c:17:12:17:12 | x | Implicit truncation from unsigned long to unsigned int. |
+| ImplicitIntegerTruncation.c:23:16:23:18 | big | Implicit truncation from unsigned long to unsigned char. |
+| ImplicitIntegerTruncation.c:24:16:24:18 | big | Implicit truncation from unsigned long to unsigned short. |
+| ImplicitIntegerTruncation.c:25:16:25:18 | big | Implicit truncation from unsigned long to unsigned int. |
+| ImplicitIntegerTruncation.c:44:16:44:16 | 3 | Implicit truncation from int to unsigned char. |
+| ImplicitIntegerTruncation.c:45:16:45:18 | 300 | Implicit truncation from int to unsigned short. |
+| ImplicitIntegerTruncation.c:54:15:54:17 | 0 | Implicit truncation from unsigned long to unsigned char. |
+| ImplicitIntegerTruncation.c:55:15:55:18 | 64 | Implicit truncation from unsigned long to unsigned char. |
+| ImplicitIntegerTruncation.c:64:18:64:20 | big | Implicit truncation from unsigned long to unsigned short. |
+| ImplicitIntegerTruncation.c:76:11:76:13 | big | Implicit truncation from unsigned long to unsigned short. |
+| ImplicitIntegerTruncation.c:77:11:77:13 | big | Implicit truncation from unsigned long to unsigned char. |

contrib/codeql/test/query-tests/ImplicitIntegerTruncation/ImplicitIntegerTruncation.qlref

@@ -0,0 +1,2 @@
+query: ImplicitIntegerTruncation.ql
+postprocess: InlineExpectationsTestQuery.ql

contrib/codeql/test/query-tests/LargeMemset/LargeMemset.expected

@@ -1,4 +1,4 @@
 | LargeMemset.c:34:5:34:10 | call to memset | This call to memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:34:33:34:48 | ... * ... | size argument |
-| LargeMemset.c:35:5:35:13 | call to fd_memset | This call to memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:35:36:35:53 | ... * ... | size argument |
+| LargeMemset.c:35:5:35:13 | call to fd_memset | This call to fd_memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:35:36:35:53 | ... * ... | size argument |
 | LargeMemset.c:36:5:36:10 | call to memset | This call to memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:36:33:36:53 | sizeof(huge_region_t) | size argument |
-| LargeMemset.c:37:5:37:13 | call to fd_memset | This call to memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:37:36:37:56 | sizeof(huge_region_t) | size argument |
+| LargeMemset.c:37:5:37:13 | call to fd_memset | This call to fd_memset has a $@ (11 MB) that is larger than 10 MB. | LargeMemset.c:37:36:37:56 | sizeof(huge_region_t) | size argument |

contrib/codeql/test/query-tests/TrivialMemcpy/TrivialMemcpy.expected

@@ -1,15 +1,15 @@
-| TrivialMemcpy.c:57:5:57:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:58:5:58:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:59:5:59:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:61:5:61:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:62:5:62:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:63:5:63:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:67:5:67:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:68:5:68:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:69:5:69:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:71:5:71:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:72:5:72:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:73:5:73:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.with_array * |
-| TrivialMemcpy.c:89:5:89:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:92:5:92:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
-| TrivialMemcpy.c:93:5:93:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:55:5:55:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:56:5:56:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:57:5:57:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:59:5:59:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:60:5:60:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:61:5:61:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:65:5:65:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:66:5:66:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:67:5:67:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:69:5:69:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:70:5:70:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:71:5:71:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.with_array * |
+| TrivialMemcpy.c:87:5:87:10 | call to memcpy | Call to memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:90:5:90:13 | call to fd_memcpy | Call to fd_memcpy could be rewritten as an assignment.foo * |
+| TrivialMemcpy.c:91:5:91:20 | call to __builtin_memcpy | Call to __builtin_memcpy could be rewritten as an assignment.foo * |

deps.sh

@@ -243,10 +243,12 @@ check_alpine_pkgs () {
     build-base       # C/C++ compiler
     curl             # download rustup
     linux-headers    # base dependency
-    libucontext-dev  # base dependency
     patch            # build system
     zstd             # build system
     gzip             # build system
+    grep             # build system
+    make             # build system
+    perl             # OpenSSL
   )
   if [[ $DEVMODE == 1 ]]; then
     REQUIRED_APKS+=( autoconf automake bison flex gettext perl protobuf-dev )

src/app/fdctl/Local.mk

@@ -18,9 +18,12 @@ $(OBJDIR)/obj/app/fdctl/version.d: src/app/fdctl/version.h
 # Always generate a version file
 include src/app/fdctl/version.h
 
+# version
+$(call make-lib,fdctl_version)
+$(call add-objs,version,fdctl_version)
+
 ifdef FD_HAS_ALLOCA
 ifdef FD_HAS_DOUBLE
-ifdef FD_HAS_INT128
 ifdef FD_HAS_HOSTED
 
 $(OBJDIR)/obj/app/fdctl/config.o: src/app/fdctl/config/default.toml
@@ -37,10 +40,6 @@ ifdef FD_HAS_THREADS
 $(call add-objs,commands/run_agave,fd_fdctl)
 $(call add-objs,commands/set_identityh,fd_fdctl)
 
-# version
-$(call make-lib,fdctl_version)
-$(call add-objs,version,fdctl_version)
-
 $(call make-bin-rust,fdctl,main,fd_fdctl fdctl_shared fdctl_platform fd_discoh fd_disco fd_choreo agave_validator fd_flamenco fd_funk fd_quic fd_tls fd_reedsol fd_waltz fd_tango fd_ballet fd_util fdctl_version)
 
 check-agave-hash:
@@ -143,4 +142,3 @@ endif
 endif
 endif
 endif
-endif

src/app/fdctl/config/default.toml

@@ -1019,6 +1019,21 @@ dynamic_port_range = "8900-9000"
         #   back to "simple" mode if necessary.
         rss_queue_mode = "simple"
 
+        # Some specialized networking setups, including DoubleZero,
+        # deliver packets to the validator in a GRE tunnel.  By default,
+        # when using rss_queue_mode="dedicated", Firedancer ignores all
+        # GRE-wrapped traffic.  Setting listen_gre = true causes
+        # Firedancer to install an ethtool 'ntuple' rule routing GRE
+        # traffic to a Firedancer net tile, enabling Firedancer to see
+        # GRE-wrapped traffic.  Unfortunately, few NICs are compatible
+        # with this class of rule, but ConnectX NICs (mlx5) are known to
+        # support listen_gre = true.  If your NIC does not support the
+        # rule and you must use GRE tunnels, set rss_queue_mode =
+        # "simple".  If rss_queue_mode is simple, this option is
+        # ignored, and Firedancer automatically listens to GRE-wrapped
+        # traffic when a GRE tunnel interface is configured.
+        listen_gre = false
+
         # Enable native network bonding support.
         #
         # If native_bond is set to 'true' and [net.interface] is a 'bond'

src/app/fddev/Local.mk

@@ -2,7 +2,6 @@ ifdef FD_HAS_HOSTED
 ifdef FD_HAS_LINUX
 ifdef FD_HAS_ALLOCA
 ifdef FD_HAS_DOUBLE
-ifdef FD_HAS_INT128
 
 .PHONY: fddev run monitor
 
@@ -42,4 +41,3 @@ endif
 endif
 endif
 endif
-endif