ci: run gcc 13 static analyzer #12

muxator · 2023-06-12T19:22:29Z

Do not merge yet.

The `CTest` module handles `CDash` integration, which we do not use. It is not required for testing functionality.

This change simplifies the code. Also comments has been added to highlight the code structure.

c3e40d7 release cleanup: bump version after 0.5.1 (Jonas Nick) Pull request description: ACKs for top commit: sipa: ACK c3e40d7 hebasto: ACK c3e40d7. Tree-SHA512: e7ae20a4b88c046c66720a6f8a2ba0c47e113bb95357020908dd378e58633d86f5fdd6b1e3d552da5ba3e0a7ba7de918a561862f66ef7c909ea64045a50955ef

7057d3c ci: Silent Homebrew's noisy reinstall warnings (Hennadii Stepanov) Pull request description: Homebrew's warnings are quite noisy on the master branch: ![image](https://github.com/user-attachments/assets/82b95369-b8c9-4b99-b72c-41d0b084d4b8) This PR silents them to allow us to focus on any other CI infra warnings once they happen. ACKs for top commit: real-or-random: utACK 7057d3c Tree-SHA512: 4dbdb459e97cb5956219214fd7407ec52fc018dba24ae945337ad5c94df510472cfc708f9f67d4df5b8e983bf4e78b2efd56533f28113b3463a1397d4d7a032a

The previous code is correct and harmless to initialize an array with a non-terminated character sequence using a string literal. However, it requires exactly specifying the array size, which can be cumbersome. Also, GCC-15 may issue the -Wunterminated-string-initialization warning. [1] Fix both issues by using array initialization. This refactoring commit does not change behavior. [1] Example warning: src/modules/schnorrsig/main_impl.h:48:46: error: initializer-string for array of 'unsigned char' is too long [-Werror=unterminated-string-initialization] 48 | static const unsigned char bip340_algo[13] = "BIP0340/nonce"; | ^~~~~~~~~~~~~~~

fa67b67 refactor: Use array initialization for unterminated strings (MarcoFalke) e34b476 ci: Bump GCC_SNAPSHOT_MAJOR to 15 (maflcko) Pull request description: Follow-up to bitcoin-core#1313 Clang should silently follow the `main` devel branch, but GCC needs to be bumped manually. ACKs for top commit: hebasto: ACK fa67b67, I have reviewed the code and it looks OK. real-or-random: utACK fa67b67 Tree-SHA512: e76371e5b1ff259ec501671872352c0d46d34a96aadae04e6ee37f9457308412e18010e724df667a15c3a85997a16da191f50cd3a01ee3f20d5f16b5893d179a

… comment 9b0f37b fix: remove duplicate 'the' from header file comment (Epic Curious) Pull request description: Replaces: ` * Changes w.r.t. the the paper:` With: ` * Changes w.r.t. the paper:` in the `include/secp256k1_ellswift.h` header file. ACKs for top commit: real-or-random: ACK 9b0f37b Tree-SHA512: a0ac153d91f0d27959d626ede116e5322fcab7e32d8e6e81bd570cbb3eae55054ab6d0310bdf963bf4fddf9792c79fad61bc90a69bc24ab5234f29e4a2763ef3

Downstream projects may include libsecp test executables in their test suites. In such cases, if a `-fsanitize=...` flag is passed via the `SECP256K1_APPEND_CFLAGS` variable, the same flag must also be passed to the linker.

…variable 421ed1b cmake: Introduce `SECP256K1_APPEND_LDFLAGS` variable (Hennadii Stepanov) Pull request description: ACKs for top commit: jonasnick: ACK 421ed1b Tree-SHA512: 044b84b86a98e30268189dc92c4b8045e146451f3849a9863eb8f99490df53f1f02ae0fc74d74dc6ede0ea0c55653c142f409c77e1967505a085f31e4c472443

…ription

…ble_,}signature` API description 292310f doc: fix typos in `secp256k1_ecdsa_{recoverable_,}signature` API description (Sebastian Falbesoner) Pull request description: This small PR fixes two small typos I noticed while looking at the pubkey recovery module (s/structured/structure/). ACKs for top commit: real-or-random: utACK 292310f Tree-SHA512: 7abda2d5b56d810fd83c7de9b018818a28fd5969f669b53b9dc0e1034428feef63a3157714f45002185b94c6c35617cab21861fa56dba51883d1326b4a1cb033

Fixes bitcoin-core#1421.

This gives the caller more control about whether the state should be cleaned (= should be considered secret). Moreover, it gives the caller the possibility to clean a hash struct without finalizing it.

Quoting sipa (see bitcoin-core#1479 (comment)): "When performing an EC multiplication A = aG for secret a, the resulting _affine_ coordinates of A are presumed to not leak information about a (ECDLP), but the same is not necessarily true for the Jacobian coordinates that come out of our multiplication algorithm." For the ECDH point multiplication result, the result in Jacobi coordinates should be cleared not only to avoid leaking the scalar, but even more so as it's a representation of the resulting shared secret.

… names 87384f5 cmake, test: Add `secp256k1_` prefix to test names (Hennadii Stepanov) Pull request description: This PR improves regex matching options when using `ctest` in downstream projects, such as Bitcoin Core. For instance, a downstream project users can filter their tests like that: ``` ctest --tests-regex "secp256k1" ``` or ``` ctest --exclude-regex "secp256k1" ``` A `ctest` log with this PR: ``` $ ctest --test-dir build -j 16 Internal ctest changing into directory: /home/hebasto/git/secp256k1/secp256k1/build Test project /home/hebasto/git/secp256k1/secp256k1/build Start 1: secp256k1_noverify_tests Start 2: secp256k1_tests Start 3: secp256k1_exhaustive_tests Start 4: secp256k1_ecdsa_example Start 5: secp256k1_ecdh_example Start 6: secp256k1_schnorr_example Start 7: secp256k1_ellswift_example Start 8: secp256k1_musig_example 1/8 Test #4: secp256k1_ecdsa_example .......... Passed 0.00 sec 2/8 Test #5: secp256k1_ecdh_example ........... Passed 0.00 sec 3/8 Test #6: secp256k1_schnorr_example ........ Passed 0.00 sec 4/8 Test #7: secp256k1_ellswift_example ....... Passed 0.00 sec 5/8 Test #8: secp256k1_musig_example .......... Passed 0.00 sec 6/8 Test #3: secp256k1_exhaustive_tests ....... Passed 6.19 sec 7/8 Test #1: secp256k1_noverify_tests ......... Passed 38.83 sec 8/8 Test #2: secp256k1_tests .................. Passed 91.66 sec 100% tests passed, 0 tests failed out of 8 Total Test time (real) = 91.67 sec ``` ACKs for top commit: theuni: utACK 87384f5 real-or-random: utACK 87384f5 Tree-SHA512: d8e46558cf58c9c660544b7bdfed24c991eb3e120b6511aa3968f509190130e498749a3c4dbabc87a7f22f0aa0056c6bcd3fc6c44f5eb131588945d593546840

The number of test iterations in the CI remains unchanged. Additionally, the minimum iteration counts to enable the `test_ecmult_constants_2bit` test is adjusted from 35 to 16, so it is run by default.

0f73caf test, ci: Lower default iteration count to 16 (Hennadii Stepanov) Pull request description: The number of test iterations in the CI remains the same. Resolves bitcoin-core#1561. ``` $ ./build/src/tests test count = 16 random seed = 59ea2b21267ec0ef0b4d13821292489f random run = 2936c044f82c7598a866869b9d954d42 no problems found ``` ACKs for top commit: sipa: utACK 0f73caf jonasnick: ACK 0f73caf Tree-SHA512: 84b265dc5d2780b3ea0a38f50ac8871d850ef2c97f33a0a5816baf20ac71c01db8b85696b343b089d7116d9cdb9450a6ca668229d95e54a39920d0e91a3127b3

694342f Name public API structs (Ava Chow) Pull request description: Closes bitcoin-core#1627 ACKs for top commit: real-or-random: utACK 694342f jonasnick: ACK 694342f Tree-SHA512: 4e03d97e7c072fc7ddefe3f679878aa8a806f3f557a736c9a1b9137972798c953cb21b91491d65f7ba5d75d7119e3224ce60309a0ff93fcf9a64b57b4a426655

…ized out (revival of bitcoin-core#636) 765ef53 Clear _gej instances after point multiplication to avoid potential leaks (Sebastian Falbesoner) 349e6ab Introduce separate _clear functions for hash module (Tim Ruffing) 99cc9fd Don't rely on memset to set signed integers to 0 (Tim Ruffing) 97c57f4 Implement various _clear() functions with secp256k1_memclear() (Tim Ruffing) 9bb368d Use secp256k1_memclear() to clear stack memory instead of memset() (Tim Ruffing) e3497bb Separate between clearing memory and setting to zero in tests (Tim Ruffing) d79a6cc Separate secp256k1_fe_set_int( . , 0 ) from secp256k1_fe_clear() (Tim Ruffing) 1c08126 Add secp256k1_memclear() for clearing secret data (Tim Ruffing) e7d3844 Don't clear secrets in pippenger implementation (Tim Ruffing) Pull request description: This PR picks up bitcoin-core#636 (which in turn picked up bitcoin-core#448, so this is take number three) and is essentially a rebase on master. Some changes to the original PR: * the clearing function now has the `secp256k1_` prefix again, since the related helper `_memczero` got it as well (see PR bitcoin-core#835 / commit e89278f) * the original commit b17a7df ("Make _set_fe_int( . , 0 ) set magnitude to 0") is not needed anymore, since it was already applied in PR bitcoin-core#943 (commit d49011f) * clearing of stack memory with `secp256k1_memclear` is now also done on modules that have been newly introduced since then, i.e. schnorr and ellswift (of course, there is still no guarantee that all places where clearing is necessary are covered) So far I haven't looked at any disassembly and possible performance implications yet (there were some concerns expressed in bitcoin-core#636 (comment)), happy to go deeper there if this gets Concept ACKed. The proposed method of using a memory barrier to prevent optimizating away the memset is still used in BoringSSL (where it was originally picked up from) and in the Linux Kernel, see e.g. https://github.com/google/boringssl/blob/5af122c3dfc163b5d1859f1f450756e8e320a142/crypto/mem.c#L335 and https://github.com/torvalds/linux/blob/d4560686726f7a357922f300fc81f5964be8df04/include/linux/string.h#L348 / https://github.com/torvalds/linux/blob/d4560686726f7a357922f300fc81f5964be8df04/include/linux/compiler.h#L102 Fixes bitcoin-core#185. ACKs for top commit: sipa: reACK 765ef53 real-or-random: ACK 765ef53 Tree-SHA512: 5a034d5ad14178c06928022459f3d4f0877d06f576b24ab07b86b3608b0b3e9273217b8309a1db606f024f3032731f13013114b1e0828964b578814d1efb2959

39d5dfd release: prepare for 0.6.0 (Jonas Nick) df2eceb build: add ellswift.md and musig.md to release tarball (Jonas Nick) a306bb7 tools: fix check-abi.sh after cmake out locations were changed (Jonas Nick) 145868a Do not export `secp256k1_musig_nonce_gen_internal` (Hennadii Stepanov) Pull request description: ACKs for top commit: sipa: utACK 39d5dfd real-or-random: ACK 39d5dfd mod the CI results Tree-SHA512: 9b4623ca03aafcd1e04b0809382faeb3b427d3d07062f065177c7608e4feb30abd52cb10fa8c06b7ae17a82b32455e995b6bd39e3ef6239d5fc65c78873385b0

muxator · 2025-03-18T09:25:26Z

This PR was made on top of f25094b (v0.3.0-frost-1).
At the time, there was a single warning from the static analyzer:

./autogen.sh
./configure \
    SECP_CFLAGS="-fanalyzer -fanalyzer-transitivity -Werror" \
    --disable-tests \
    --disable-exhaustive-tests \
    --disable-benchmark \
    --enable-experimental \
    --enable-module-frost
make

Compilation at the time of submitting this PR (**v0.3.0-frost-1**), a single warning

``` make all-am make[1]: Entering directory '' CC src/libsecp256k1_la-secp256k1.lo In file included from src/ecmult_gen_impl.h:14, from src/secp256k1.c:32: src/hash_impl.h: In function 'secp256k1_sha256_write': src/hash_impl.h:133:9: error: use of uninitialized value 'data' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value] 133 | memcpy(hash->buf + bufsize, data, chunk_len); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'compute_binding_factors.part.0': events 1-4 | |src/modules/frost/main_impl.h:1034:41: | 1034 | static SECP256K1_WARN_UNUSED_RESULT int compute_binding_factors( | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'compute_binding_factors.part.0' |...... | 1049 | for (index = 0; index < num_signers; index++) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (2) following 'true' branch (when 'num_signers > index')... | 1050 | compute_binding_factor(&(binding_factors->binding_factors[index]), | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling 'compute_binding_factor' from 'compute_binding_factors.part.0' | 1051 | signing_commitments[index].index, msg32, msg_len, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | 1052 | num_signers, signing_commitments); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'compute_binding_factor': events 5-6 | | 998 | static void compute_binding_factor( | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'compute_binding_factor' |...... | 1013 | compute_hash_h4(msg, msg_len, rho_input); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'compute_hash_h4' from 'compute_binding_factor' | +--> 'compute_hash_h4': events 7-8 | | 193 | static void compute_hash_h4(const unsigned char *msg, uint32_t msg_len, unsigned char *hash_value) { | | ^~~~~~~~~~~~~~~ | | | | | (7) entry to 'compute_hash_h4' |...... | 197 | secp256k1_sha256_write(&sha, hash_context_prefix_h4, sizeof(hash_context_prefix_h4)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'secp256k1_sha256_write' from 'compute_hash_h4' | +--> 'secp256k1_sha256_write': events 9-13 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (10) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (11) ...to here | | (12) following 'true' branch (when 'len != 0')... | 140 | /* Fill the buffer with what remains. */ | 141 | memcpy(((unsigned char*)hash->buf) + bufsize, data, len); | | ~~~~ | | | | | (13) ...to here | <------+ | 'compute_hash_h4': events 14-15 | |src/modules/frost/main_impl.h:197:5: | 197 | secp256k1_sha256_write(&sha, hash_context_prefix_h4, sizeof(hash_context_prefix_h4)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) returning to 'compute_hash_h4' from 'secp256k1_sha256_write' | 198 | secp256k1_sha256_write(&sha, msg, msg_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling 'secp256k1_sha256_write' from 'compute_hash_h4' | +--> 'secp256k1_sha256_write': events 16-20 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (17) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (18) ...to here | | (19) following 'false' branch (when 'len == 0')... |...... | 143 | } | | ~ | | | | | (20) ...to here | <------+ | 'compute_hash_h4': events 21-22 | |src/modules/frost/main_impl.h:198:5: | 198 | secp256k1_sha256_write(&sha, msg, msg_len); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'compute_hash_h4' from 'secp256k1_sha256_write' | 199 | secp256k1_sha256_finalize(&sha, hash_value); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling 'secp256k1_sha256_finalize' from 'compute_hash_h4' | +--> 'secp256k1_sha256_finalize': events 23-26 | |src/hash_impl.h:145:13: | 145 | static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) entry to 'secp256k1_sha256_finalize' | 146 | static const unsigned char pad[64] = {0x80}; | 147 | unsigned char sizedesc[8]; | | ~~~~~~~~ | | | | | (24) region created on stack here | | (25) capacity: 8 bytes |...... | 153 | secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling 'secp256k1_sha256_write' from 'secp256k1_sha256_finalize' | +--> 'secp256k1_sha256_write': events 27-31 | | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (28) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (29) ...to here | | (30) following 'false' branch (when 'len == 0')... |...... | 143 | } | | ~ | | | | | (31) ...to here | <------+ | 'secp256k1_sha256_finalize': events 32-33 | | 153 | secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'secp256k1_sha256_finalize' from 'secp256k1_sha256_write' | 154 | secp256k1_sha256_write(hash, sizedesc, 8); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) calling 'secp256k1_sha256_write' from 'secp256k1_sha256_finalize' | +--> 'secp256k1_sha256_write': events 34-37 | | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (35) following 'true' branch... |...... | 133 | memcpy(hash->buf + bufsize, data, chunk_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (36) ...to here | | (37) use of uninitialized value 'data' here | cc1: all warnings being treated as errors make[1]: *** [Makefile:1196: src/libsecp256k1_la-secp256k1.lo] Error 1 make[1]: Leaving directory '' make: *** [Makefile:928: all] Error 2 ```

The error in turn seemed to stem from secp256k1_sha256_write().

As of 2025-03-18, the current version is based on 838792f (from 2023-12-06).
Applying the static analyzer on that version shows another warning, in src/scalar_4x64_impl.h, secp256k1_scalar_set_b32(), which was introduced upstream.

Compilation log if rebasing this PR on top of **v0.3.2-frost-1** (two warnings)

``` make all-am make[1]: Entering directory '' CC src/libsecp256k1_la-secp256k1.lo In file included from src/scalar_impl.h:20, from src/secp256k1.c:28: src/scalar_4x64_impl.h: In function 'secp256k1_scalar_set_b32': src/scalar_4x64_impl.h:136:28: error: use of uninitialized value 'b32[31]' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value] 136 | r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56; | ~~~^~~~ 'secp256k1_frost_verify': events 1-4 | |src/modules/frost/main_impl.h:1453:48: | 1453 | SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_verify( | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'secp256k1_frost_verify' |...... | 1463 | if (ctx == NULL || sig64 == NULL || msg32 == NULL || pubkey == NULL) { | | ~ | | | | | (2) following 'false' branch... |...... | 1468 | if (deserialize_frost_signature(&aggregated_signature, sig64) == 0) { | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | | (4) calling 'deserialize_frost_signature' from 'secp256k1_frost_verify' | +--> 'deserialize_frost_signature': events 5-8 | | 127 | static SECP256K1_WARN_UNUSED_RESULT int deserialize_frost_signature(secp256k1_frost_signature *signature, | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'deserialize_frost_signature' |...... | 131 | if (secp256k1_fe_set_b32_limit(&x, serialized_signature) == 0) { | | ~ | | | | | (6) following 'false' branch... |...... | 134 | if (secp256k1_ge_set_xo_var(&deserialized_point, &x, 0) == 0) { | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) ...to here | | (8) calling 'secp256k1_ge_set_xo_var' from 'deserialize_frost_signature' | +--> 'secp256k1_ge_set_xo_var': events 9-10 | |src/group_impl.h:280:12: | 280 | static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) { | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'secp256k1_ge_set_xo_var' |...... | 289 | ret = secp256k1_fe_sqrt(&r->y, &x3); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (10) calling 'secp256k1_fe_sqrt' from 'secp256k1_ge_set_xo_var' | +--> 'secp256k1_fe_sqrt': events 11-12 | |src/field_impl.h:47:12: | 47 | static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a) { | | ^~~~~~~~~~~~~~~~~ | | | | | (11) entry to 'secp256k1_fe_sqrt' |...... | 78 | for (j=0; j<3; j++) { | | ~~~ | | | | | (12) following 'true' branch (when 'j != 3')... | 'secp256k1_fe_sqrt': event 13 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (13) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:79:9: note: in expansion of macro 'secp256k1_fe_sqr' | 79 | secp256k1_fe_sqr(&x6, &x6); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 14 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) ...to here | <------+ | 'secp256k1_fe_sqrt': event 15 | |src/field_impl.h:84:16: | 84 | for (j=0; j<3; j++) { | | ~^~ | | | | | (15) following 'true' branch (when 'j != 3')... | 'secp256k1_fe_sqrt': event 16 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (16) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:85:9: note: in expansion of macro 'secp256k1_fe_sqr' | 85 | secp256k1_fe_sqr(&x9, &x9); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 17 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) ...to here | <------+ | 'secp256k1_fe_sqrt': event 18 | |src/field_impl.h:90:16: | 90 | for (j=0; j<2; j++) { | | ~^~ | | | | | (18) following 'true' branch (when 'j != 2')... | 'secp256k1_fe_sqrt': event 19 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (19) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:91:9: note: in expansion of macro 'secp256k1_fe_sqr' | 91 | secp256k1_fe_sqr(&x11, &x11); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 20 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (20) ...to here | <------+ | 'secp256k1_fe_sqrt': event 21 | |src/field_impl.h:96:16: | 96 | for (j=0; j<11; j++) { | | ~^~~ | | | | | (21) following 'true' branch (when 'j != 11')... | 'secp256k1_fe_sqrt': event 22 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (22) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:97:9: note: in expansion of macro 'secp256k1_fe_sqr' | 97 | secp256k1_fe_sqr(&x22, &x22); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 23 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) ...to here | <------+ | 'secp256k1_fe_sqrt': event 24 | |src/field_impl.h:102:16: | 102 | for (j=0; j<22; j++) { | | ~^~~ | | | | | (24) following 'true' branch (when 'j != 22')... | 'secp256k1_fe_sqrt': event 25 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (25) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:103:9: note: in expansion of macro 'secp256k1_fe_sqr' | 103 | secp256k1_fe_sqr(&x44, &x44); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 26 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) ...to here | <------+ | 'secp256k1_fe_sqrt': event 27 | |src/field_impl.h:108:16: | 108 | for (j=0; j<44; j++) { | | ~^~~ | | | | | (27) following 'true' branch (when 'j != 44')... | 'secp256k1_fe_sqrt': event 28 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (28) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:109:9: note: in expansion of macro 'secp256k1_fe_sqr' | 109 | secp256k1_fe_sqr(&x88, &x88); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 29 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) ...to here | <------+ | 'secp256k1_fe_sqrt': event 30 | |src/field_impl.h:114:16: | 114 | for (j=0; j<88; j++) { | | ~^~~ | | | | | (30) following 'true' branch (when 'j != 88')... | 'secp256k1_fe_sqrt': event 31 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (31) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:115:9: note: in expansion of macro 'secp256k1_fe_sqr' | 115 | secp256k1_fe_sqr(&x176, &x176); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 32 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) ...to here | <------+ | 'secp256k1_fe_sqrt': event 33 | |src/field_impl.h:120:16: | 120 | for (j=0; j<44; j++) { | | ~^~~ | | | | | (33) following 'true' branch (when 'j != 44')... | 'secp256k1_fe_sqrt': event 34 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (34) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:121:9: note: in expansion of macro 'secp256k1_fe_sqr' | 121 | secp256k1_fe_sqr(&x220, &x220); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 35 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (35) ...to here | <------+ | 'secp256k1_fe_sqrt': event 36 | |src/field_impl.h:126:16: | 126 | for (j=0; j<3; j++) { | | ~^~ | | | | | (36) following 'true' branch (when 'j != 3')... | 'secp256k1_fe_sqrt': event 37 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (37) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:127:9: note: in expansion of macro 'secp256k1_fe_sqr' | 127 | secp256k1_fe_sqr(&x223, &x223); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 38 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (38) ...to here | <------+ | 'secp256k1_fe_sqrt': event 39 | |src/field_impl.h:134:16: | 134 | for (j=0; j<23; j++) { | | ~^~~ | | | | | (39) following 'true' branch (when 'j != 23')... | 'secp256k1_fe_sqrt': event 40 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (40) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:135:9: note: in expansion of macro 'secp256k1_fe_sqr' | 135 | secp256k1_fe_sqr(&t1, &t1); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 41 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (41) ...to here | <------+ | 'secp256k1_fe_sqrt': event 42 | |src/field_impl.h:138:16: | 138 | for (j=0; j<6; j++) { | | ~^~ | | | | | (42) following 'true' branch (when 'j != 6')... | 'secp256k1_fe_sqrt': event 43 | |src/field.h:95:28: | 95 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (43) inlined call to 'secp256k1_fe_impl_sqr' from 'secp256k1_fe_sqrt' src/field_impl.h:139:9: note: in expansion of macro 'secp256k1_fe_sqr' | 139 | secp256k1_fe_sqr(&t1, &t1); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_sqr': event 44 | |src/field_5x52_impl.h:357:5: | 357 | secp256k1_fe_sqr_inner(r->n, a->n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (44) ...to here | <-------------+ | 'secp256k1_ge_set_xo_var': event 45 | |src/group_impl.h:289:11: | 289 | ret = secp256k1_fe_sqrt(&r->y, &x3); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (45) returning to 'secp256k1_ge_set_xo_var' from 'secp256k1_fe_sqrt' | <------+ | 'deserialize_frost_signature': events 46-49 | |src/modules/frost/main_impl.h:134:9: | 134 | if (secp256k1_ge_set_xo_var(&deserialized_point, &x, 0) == 0) { | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(46) returning to 'deserialize_frost_signature' from 'secp256k1_ge_set_xo_var' | | (47) following 'false' branch... |...... | 137 | secp256k1_gej_set_ge(&(signature->r), &deserialized_point); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (48) ...to here | 138 | if (convert_b32_to_scalar(&serialized_signature[SERIALIZED_PUBKEY_X_ONLY_SIZE], &(signature->z)) == 0) { | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (49) calling 'convert_b32_to_scalar' from 'deserialize_frost_signature' | +--> 'convert_b32_to_scalar': events 50-51 | | 81 | static int convert_b32_to_scalar(const unsigned char *hash_value, secp256k1_scalar *output) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (50) entry to 'convert_b32_to_scalar' | 82 | int overflow = 0; | 83 | secp256k1_scalar_set_b32(output, hash_value, &overflow); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) calling 'secp256k1_scalar_set_b32' from 'convert_b32_to_scalar' | +--> 'secp256k1_scalar_set_b32': events 52-54 | |src/scalar_4x64_impl.h:134:13: | 134 | static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) { | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (52) entry to 'secp256k1_scalar_set_b32' |...... | 141 | if (overflow) { | | ~ | | | | | (53) following 'true' branch (when 'overflow' is non-NULL)... | 142 | *overflow = over; | | ~~~~~~~~~~~~~~~~ | | | | | (54) ...to here | <------+ | 'convert_b32_to_scalar': event 55 | |src/modules/frost/main_impl.h:83:5: | 83 | secp256k1_scalar_set_b32(output, hash_value, &overflow); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (55) returning to 'convert_b32_to_scalar' from 'secp256k1_scalar_set_b32' | <------+ | 'deserialize_frost_signature': events 56-57 | | 138 | if (convert_b32_to_scalar(&serialized_signature[SERIALIZED_PUBKEY_X_ONLY_SIZE], &(signature->z)) == 0) { | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(56) returning to 'deserialize_frost_signature' from 'convert_b32_to_scalar' | | (57) following 'false' branch... | 'deserialize_frost_signature': event 58 | |cc1: | (58): ...to here | <------+ | 'secp256k1_frost_verify': events 59-62 | | 1468 | if (deserialize_frost_signature(&aggregated_signature, sig64) == 0) { | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(59) returning to 'secp256k1_frost_verify' from 'deserialize_frost_signature' | | (60) following 'false' branch... |...... | 1473 | deserialize_point(&group_pubkey, pubkey->group_public_key); | | ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (61) ...to here | 1474 | compute_challenge(&challenge, msg32, 32, &group_pubkey, &(aggregated_signature.r)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (62) calling 'compute_challenge' from 'secp256k1_frost_verify' | +--> 'compute_challenge': events 63-65 | | 940 | static void compute_challenge(secp256k1_scalar *challenge, | | ^~~~~~~~~~~~~~~~~ | | | | | (63) entry to 'compute_challenge' |...... | 944 | unsigned char buf[SCALAR_SIZE]; | | ~~~ | | | | | (64) region created on stack here |...... | 949 | serialize_point_xonly(group_commitment, rx); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (65) calling 'serialize_point_xonly' from 'compute_challenge' | +--> 'serialize_point_xonly': events 66-67 | | 108 | static void serialize_point_xonly(const secp256k1_gej *point, unsigned char *output) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (66) entry to 'serialize_point_xonly' | 109 | secp256k1_ge commitment; | 110 | secp256k1_ge_set_gej_safe(&commitment, point); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (67) calling 'secp256k1_ge_set_gej_safe' from 'serialize_point_xonly' | +--> 'secp256k1_ge_set_gej_safe': event 68 | | 43 | static void secp256k1_ge_set_gej_safe(secp256k1_ge *r, const secp256k1_gej *a) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (68) entry to 'secp256k1_ge_set_gej_safe' | 'secp256k1_ge_set_gej_safe': event 69 | |src/field.h:99:28: | 99 | # define secp256k1_fe_inv secp256k1_fe_impl_inv src/modules/frost/main_impl.h:47:5: note: in expansion of macro 'secp256k1_fe_inv' | 47 | secp256k1_fe_inv(&tmp.z, &a->z); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_inv': events 70-71 | |src/field_5x52_impl.h:490:13: | 490 | static void secp256k1_fe_impl_inv(secp256k1_fe *r, const secp256k1_fe *x) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (70) entry to 'secp256k1_fe_impl_inv' |...... | 496 | secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (71) calling 'secp256k1_modinv64' from 'secp256k1_fe_impl_inv' | +--> 'secp256k1_modinv64': events 72-75 | |src/modinv64_impl.h:592:13: | 592 | static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) { | | ^~~~~~~~~~~~~~~~~~ | | | | | (72) entry to 'secp256k1_modinv64' |...... | 602 | for (i = 0; i < 10; ++i) { | | ~~~~~~ | | | | | (73) following 'true' branch (when 'i != 10')... |...... | 605 | zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (74) ...to here | | (75) calling 'secp256k1_modinv64_divsteps_59' from 'secp256k1_modinv64' | +--> 'secp256k1_modinv64_divsteps_59': events 76-78 | | 169 | static int64_t secp256k1_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (76) entry to 'secp256k1_modinv64_divsteps_59' |...... | 182 | for (i = 3; i < 62; ++i) { | | ~~~~~~ | | | | | (77) following 'true' branch (when 'i != 62')... |...... | 187 | c1 = zeta >> 63; | | ~~~~~~~~~~ | | | | | (78) ...to here | <------+ | 'secp256k1_modinv64': events 79-80 | | 605 | zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (79) returning to 'secp256k1_modinv64' from 'secp256k1_modinv64_divsteps_59' | 606 | /* Update d,e using that transition matrix. */ | 607 | secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (80) calling 'secp256k1_modinv64_update_de_62' from 'secp256k1_modinv64' | +--> 'secp256k1_modinv64_update_de_62': events 81-87 | | 413 | static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (81) entry to 'secp256k1_modinv64_update_de_62' |...... | 452 | if (modinfo->modulus.v[1]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (82) following 'false' branch... |...... | 456 | d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (83) ...to here |...... | 463 | if (modinfo->modulus.v[2]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (84) following 'false' branch... |...... | 467 | d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (85) ...to here |...... | 474 | if (modinfo->modulus.v[3]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (86) following 'false' branch... |...... | 478 | d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (87) ...to here | <------+ | 'secp256k1_modinv64': event 88 | | 607 | secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (88) returning to 'secp256k1_modinv64' from 'secp256k1_modinv64_update_de_62' | <------+ | 'secp256k1_fe_impl_inv': event 89 | |src/field_5x52_impl.h:496:5: | 496 | secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (89) returning to 'secp256k1_fe_impl_inv' from 'secp256k1_modinv64' | <------+ | 'secp256k1_ge_set_gej_safe': event 90 | |src/field.h:99:28: | 99 | # define secp256k1_fe_inv secp256k1_fe_impl_inv src/modules/frost/main_impl.h:47:5: note: in expansion of macro 'secp256k1_fe_inv' | 47 | secp256k1_fe_inv(&tmp.z, &a->z); | | ^~~~~~~~~~~~~~~~ | <------+ | 'serialize_point_xonly': event 91 | | 110 | secp256k1_ge_set_gej_safe(&commitment, point); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (91) returning to 'serialize_point_xonly' from 'secp256k1_ge_set_gej_safe' | <------+ | 'compute_challenge': events 92-93 | | 949 | serialize_point_xonly(group_commitment, rx); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (92) returning to 'compute_challenge' from 'serialize_point_xonly' | 950 | serialize_point_xonly(group_public_key, pk); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (93) calling 'serialize_point_xonly' from 'compute_challenge' | +--> 'serialize_point_xonly': events 94-95 | | 108 | static void serialize_point_xonly(const secp256k1_gej *point, unsigned char *output) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (94) entry to 'serialize_point_xonly' | 109 | secp256k1_ge commitment; | 110 | secp256k1_ge_set_gej_safe(&commitment, point); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (95) calling 'secp256k1_ge_set_gej_safe' from 'serialize_point_xonly' | +--> 'secp256k1_ge_set_gej_safe': event 96 | | 43 | static void secp256k1_ge_set_gej_safe(secp256k1_ge *r, const secp256k1_gej *a) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (96) entry to 'secp256k1_ge_set_gej_safe' | 'secp256k1_ge_set_gej_safe': event 97 | |src/field.h:99:28: | 99 | # define secp256k1_fe_inv secp256k1_fe_impl_inv src/modules/frost/main_impl.h:47:5: note: in expansion of macro 'secp256k1_fe_inv' | 47 | secp256k1_fe_inv(&tmp.z, &a->z); | | ^~~~~~~~~~~~~~~~ | +--> 'secp256k1_fe_impl_inv': events 98-99 | |src/field_5x52_impl.h:490:13: | 490 | static void secp256k1_fe_impl_inv(secp256k1_fe *r, const secp256k1_fe *x) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (98) entry to 'secp256k1_fe_impl_inv' |...... | 496 | secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (99) calling 'secp256k1_modinv64' from 'secp256k1_fe_impl_inv' | +--> 'secp256k1_modinv64': events 100-103 | |src/modinv64_impl.h:592:13: | 592 | static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) { | | ^~~~~~~~~~~~~~~~~~ | | | | | (100) entry to 'secp256k1_modinv64' |...... | 602 | for (i = 0; i < 10; ++i) { | | ~~~~~~ | | | | | (101) following 'true' branch (when 'i != 10')... |...... | 605 | zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (102) ...to here | | (103) calling 'secp256k1_modinv64_divsteps_59' from 'secp256k1_modinv64' | +--> 'secp256k1_modinv64_divsteps_59': events 104-106 | | 169 | static int64_t secp256k1_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (104) entry to 'secp256k1_modinv64_divsteps_59' |...... | 182 | for (i = 3; i < 62; ++i) { | | ~~~~~~ | | | | | (105) following 'true' branch (when 'i != 62')... |...... | 187 | c1 = zeta >> 63; | | ~~~~~~~~~~ | | | | | (106) ...to here | <------+ | 'secp256k1_modinv64': events 107-108 | | 605 | zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (107) returning to 'secp256k1_modinv64' from 'secp256k1_modinv64_divsteps_59' | 606 | /* Update d,e using that transition matrix. */ | 607 | secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (108) calling 'secp256k1_modinv64_update_de_62' from 'secp256k1_modinv64' | +--> 'secp256k1_modinv64_update_de_62': events 109-115 | | 413 | static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (109) entry to 'secp256k1_modinv64_update_de_62' |...... | 452 | if (modinfo->modulus.v[1]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (110) following 'false' branch... |...... | 456 | d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (111) ...to here |...... | 463 | if (modinfo->modulus.v[2]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (112) following 'false' branch... |...... | 467 | d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (113) ...to here |...... | 474 | if (modinfo->modulus.v[3]) { /* Optimize for the case where limb of modulus is zero. */ | | ~ | | | | | (114) following 'false' branch... |...... | 478 | d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (115) ...to here | <------+ | 'secp256k1_modinv64': event 116 | | 607 | secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (116) returning to 'secp256k1_modinv64' from 'secp256k1_modinv64_update_de_62' | <------+ | 'secp256k1_fe_impl_inv': event 117 | |src/field_5x52_impl.h:496:5: | 496 | secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (117) returning to 'secp256k1_fe_impl_inv' from 'secp256k1_modinv64' | <------+ | 'secp256k1_ge_set_gej_safe': event 118 | |src/field.h:99:28: | 99 | # define secp256k1_fe_inv secp256k1_fe_impl_inv src/modules/frost/main_impl.h:47:5: note: in expansion of macro 'secp256k1_fe_inv' | 47 | secp256k1_fe_inv(&tmp.z, &a->z); | | ^~~~~~~~~~~~~~~~ | <------+ | 'serialize_point_xonly': event 119 | | 110 | secp256k1_ge_set_gej_safe(&commitment, point); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (119) returning to 'serialize_point_xonly' from 'secp256k1_ge_set_gej_safe' | <------+ | 'compute_challenge': events 120-121 | | 950 | serialize_point_xonly(group_public_key, pk); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (120) returning to 'compute_challenge' from 'serialize_point_xonly' |...... | 963 | secp256k1_sha256_write(&sha, rx, SERIALIZED_PUBKEY_X_ONLY_SIZE); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (121) calling 'secp256k1_sha256_write' from 'compute_challenge' | +--> 'secp256k1_sha256_write': events 122-126 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (122) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (123) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (124) ...to here | | (125) following 'true' branch (when 'len != 0')... | 140 | /* Fill the buffer with what remains. */ | 141 | memcpy(((unsigned char*)hash->buf) + bufsize, data, len); | | ~~~~ | | | | | (126) ...to here | <------+ | 'compute_challenge': events 127-128 | |src/modules/frost/main_impl.h:963:5: | 963 | secp256k1_sha256_write(&sha, rx, SERIALIZED_PUBKEY_X_ONLY_SIZE); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (127) returning to 'compute_challenge' from 'secp256k1_sha256_write' | 964 | secp256k1_sha256_write(&sha, pk, SERIALIZED_PUBKEY_X_ONLY_SIZE); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (128) calling 'secp256k1_sha256_write' from 'compute_challenge' | +--> 'secp256k1_sha256_write': events 129-131 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (129) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (130) following 'true' branch... |...... | 133 | memcpy(hash->buf + bufsize, data, chunk_len); | | ~~~~ | | | | | (131) ...to here | <------+ | 'compute_challenge': events 132-133 | |src/modules/frost/main_impl.h:964:5: | 964 | secp256k1_sha256_write(&sha, pk, SERIALIZED_PUBKEY_X_ONLY_SIZE); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (132) returning to 'compute_challenge' from 'secp256k1_sha256_write' | 965 | secp256k1_sha256_write(&sha, msg, msg_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (133) calling 'secp256k1_sha256_write' from 'compute_challenge' | +--> 'secp256k1_sha256_write': events 134-136 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (134) entry to 'secp256k1_sha256_write' |...... | 139 | if (len) { | | ~ | | | | | (135) following 'true' branch (when 'len != 0')... | 140 | /* Fill the buffer with what remains. */ | 141 | memcpy(((unsigned char*)hash->buf) + bufsize, data, len); | | ~~~~ | | | | | (136) ...to here | <------+ | 'compute_challenge': events 137-138 | |src/modules/frost/main_impl.h:965:5: | 965 | secp256k1_sha256_write(&sha, msg, msg_len); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (137) returning to 'compute_challenge' from 'secp256k1_sha256_write' | 966 | secp256k1_sha256_finalize(&sha, buf); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (138) calling 'secp256k1_sha256_finalize' from 'compute_challenge' | +--> 'secp256k1_sha256_finalize': events 139-140 | |src/hash_impl.h:145:13: | 145 | static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (139) entry to 'secp256k1_sha256_finalize' |...... | 154 | secp256k1_sha256_write(hash, sizedesc, 8); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (140) calling 'secp256k1_sha256_write' from 'secp256k1_sha256_finalize' | +--> 'secp256k1_sha256_write': events 141-147 | | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (141) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (142) following 'true' branch... | | (144) following 'false' branch... |...... | 133 | memcpy(hash->buf + bufsize, data, chunk_len); | | ~~~~ | | | | | (143) ...to here |...... | 139 | if (len) { | | ~ | | | | | (145) ...to here | | (146) following 'false' branch (when 'len == 0')... |...... | 143 | } | | ~ | | | | | (147) ...to here | <------+ | 'secp256k1_sha256_finalize': events 148-152 | | 154 | secp256k1_sha256_write(hash, sizedesc, 8); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (148) returning to 'secp256k1_sha256_finalize' from 'secp256k1_sha256_write' | 155 | for (i = 0; i < 8; i++) { | | ~~~~~ | | | | | (149) following 'true' branch (when 'i != 8')... | | (151) following 'false' branch (when 'i == 8')... | 156 | secp256k1_write_be32(&out32[4*i], hash->s[i]); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (150) ...to here |...... | 159 | } | | ~ | | | | | (152) ...to here | <------+ | 'compute_challenge': events 153-154 | |src/modules/frost/main_impl.h:966:5: | 966 | secp256k1_sha256_finalize(&sha, buf); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (153) returning to 'compute_challenge' from 'secp256k1_sha256_finalize' | 967 | secp256k1_scalar_set_b32(challenge, buf, NULL); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (154) calling 'secp256k1_scalar_set_b32' from 'compute_challenge' | +--> 'secp256k1_scalar_set_b32': events 155-156 | |src/scalar_4x64_impl.h:134:13: | 134 | static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) { | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (155) entry to 'secp256k1_scalar_set_b32' | 135 | int over; | 136 | r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56; | | ~~~~~~~ | | | | | (156) use of uninitialized value 'b32[31]' here | In file included from src/ecmult_gen_impl.h:14, from src/secp256k1.c:32: src/hash_impl.h: In function 'secp256k1_sha256_write': src/hash_impl.h:133:9: error: use of uninitialized value 'data' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value] 133 | memcpy(hash->buf + bufsize, data, chunk_len); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'compute_binding_factors.part.0': events 1-4 | |src/modules/frost/main_impl.h:1035:41: | 1035 | static SECP256K1_WARN_UNUSED_RESULT int compute_binding_factors( | | ^~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'compute_binding_factors.part.0' |...... | 1050 | for (index = 0; index < num_signers; index++) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (2) following 'true' branch (when 'num_signers > index')... | 1051 | compute_binding_factor(&(binding_factors->binding_factors[index]), | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) calling 'compute_binding_factor' from 'compute_binding_factors.part.0' | 1052 | signing_commitments[index].index, msg32, msg_len, | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) ...to here | 1053 | num_signers, signing_commitments); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'compute_binding_factor': events 5-6 | | 999 | static void compute_binding_factor( | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (5) entry to 'compute_binding_factor' |...... | 1014 | compute_hash_h4(msg, msg_len, rho_input); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) calling 'compute_hash_h4' from 'compute_binding_factor' | +--> 'compute_hash_h4': events 7-8 | | 194 | static void compute_hash_h4(const unsigned char *msg, uint32_t msg_len, unsigned char *hash_value) { | | ^~~~~~~~~~~~~~~ | | | | | (7) entry to 'compute_hash_h4' |...... | 198 | secp256k1_sha256_write(&sha, hash_context_prefix_h4, sizeof(hash_context_prefix_h4)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'secp256k1_sha256_write' from 'compute_hash_h4' | +--> 'secp256k1_sha256_write': events 9-13 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (10) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (11) ...to here | | (12) following 'true' branch (when 'len != 0')... | 140 | /* Fill the buffer with what remains. */ | 141 | memcpy(((unsigned char*)hash->buf) + bufsize, data, len); | | ~~~~ | | | | | (13) ...to here | <------+ | 'compute_hash_h4': events 14-15 | |src/modules/frost/main_impl.h:198:5: | 198 | secp256k1_sha256_write(&sha, hash_context_prefix_h4, sizeof(hash_context_prefix_h4)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (14) returning to 'compute_hash_h4' from 'secp256k1_sha256_write' | 199 | secp256k1_sha256_write(&sha, msg, msg_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (15) calling 'secp256k1_sha256_write' from 'compute_hash_h4' | +--> 'secp256k1_sha256_write': events 16-20 | |src/hash_impl.h:126:13: | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (17) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (18) ...to here | | (19) following 'false' branch (when 'len == 0')... |...... | 143 | } | | ~ | | | | | (20) ...to here | <------+ | 'compute_hash_h4': events 21-22 | |src/modules/frost/main_impl.h:199:5: | 199 | secp256k1_sha256_write(&sha, msg, msg_len); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) returning to 'compute_hash_h4' from 'secp256k1_sha256_write' | 200 | secp256k1_sha256_finalize(&sha, hash_value); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling 'secp256k1_sha256_finalize' from 'compute_hash_h4' | +--> 'secp256k1_sha256_finalize': events 23-26 | |src/hash_impl.h:145:13: | 145 | static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (23) entry to 'secp256k1_sha256_finalize' | 146 | static const unsigned char pad[64] = {0x80}; | 147 | unsigned char sizedesc[8]; | | ~~~~~~~~ | | | | | (24) region created on stack here | | (25) capacity: 8 bytes |...... | 153 | secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (26) calling 'secp256k1_sha256_write' from 'secp256k1_sha256_finalize' | +--> 'secp256k1_sha256_write': events 27-31 | | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (27) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (28) following 'false' branch... |...... | 139 | if (len) { | | ~ | | | | | (29) ...to here | | (30) following 'false' branch (when 'len == 0')... |...... | 143 | } | | ~ | | | | | (31) ...to here | <------+ | 'secp256k1_sha256_finalize': events 32-33 | | 153 | secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (32) returning to 'secp256k1_sha256_finalize' from 'secp256k1_sha256_write' | 154 | secp256k1_sha256_write(hash, sizedesc, 8); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (33) calling 'secp256k1_sha256_write' from 'secp256k1_sha256_finalize' | +--> 'secp256k1_sha256_write': events 34-37 | | 126 | static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (34) entry to 'secp256k1_sha256_write' |...... | 130 | while (len >= 64 - bufsize) { | | ~~~~~~~~~~~~~~~~~~~ | | | | | (35) following 'true' branch... |...... | 133 | memcpy(hash->buf + bufsize, data, chunk_len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (36) ...to here | | (37) use of uninitialized value 'data' here | cc1: all warnings being treated as errors make[1]: *** [Makefile:1207: src/libsecp256k1_la-secp256k1.lo] Error 1 make[1]: Leaving directory '' make: *** [Makefile:939: all] Error 2 ```

I am writing this as a historical note in case the project needs to be rebased on top of a recent secp256k1 version.

Tests were made on 2025-03-18, Fedora 41, gcc 14.2.1.

Valgrind identifies memory-related issues in FROST, which do not appear when Valgrind analyzes FROST on other OSs. We are currently disabling FROST module when Valgrind analyzes the library code in MacOS Ventura (MacOS 13). Apparently, Valgrind provides only preliminary support for X86_64/MacOS.

Use the primitive implemented in secp256k1 to clean data in memory.

We follow the principles of the upstream secp256k1 library which puts some effort in cleaning secrets from the stack before returning. With this commit, FROST-related functions clean temporary variables before returning.

This is not automotic: we will have to periodically go through the available modules and turn them off.

…13 ->15. ROLLME On my local Fedora 42 machine, however, static analysis hangs indefinitely.

muxator force-pushed the ci-static-analyzer branch 2 times, most recently from 6abc653 to 5ea21fe Compare June 12, 2023 21:19

muxator changed the title ~~ci: test for static analyzer~~ ci: run gcc 13 static analyzer Jun 12, 2023

muxator requested a review from marcofavoritobi June 12, 2023 21:22

muxator force-pushed the ci-static-analyzer branch from 5ea21fe to b1212af Compare June 14, 2023 13:12

matteonardelli marked this pull request as draft June 15, 2023 07:23

muxator force-pushed the ci-static-analyzer branch 3 times, most recently from 23ba495 to 15326f8 Compare June 16, 2023 11:35

muxator force-pushed the ci-static-analyzer branch from 15326f8 to 0c5f903 Compare June 29, 2023 10:51

muxator force-pushed the ci-static-analyzer branch from 0c5f903 to b6b6343 Compare November 22, 2023 12:50

muxator force-pushed the frost branch from a6d843b to f25094b Compare November 23, 2023 13:13

muxator force-pushed the ci-static-analyzer branch from b6b6343 to 1b51deb Compare November 23, 2023 13:14

hebasto and others added 17 commits June 26, 2024 23:41

cmake: Delete CTest module

6aa5765

The `CTest` module handles `CDash` integration, which we do not use. It is not required for testing functionality.

cmake: Call enable_testing() unconditionally

7c987ec

This change simplifies the code. Also comments has been added to highlight the code structure.

release cleanup: bump version after 0.5.1

c3e40d7

ci: Silent Homebrew's noisy reinstall warnings

7057d3c

ci: Bump GCC_SNAPSHOT_MAJOR to 15

e34b476

fix: remove duplicate 'the' from header file comment

9b0f37b

group: add ge_to_bytes and ge_from_bytes

85e224d

cmake: Introduce SECP256K1_APPEND_LDFLAGS variable

421ed1b

Downstream projects may include libsecp test executables in their test suites. In such cases, if a `-fsanitize=...` flag is passed via the `SECP256K1_APPEND_CFLAGS` variable, the same flag must also be passed to the linker.

doc: fix typos in secp256k1_ecdsa_{recoverable_,}signature API desc…

292310f

…ription

include: Avoid visibility("default") on Windows

447334c

Fixes bitcoin-core#1421.

real-or-random and others added 13 commits October 25, 2024 18:44

Introduce separate _clear functions for hash module

349e6ab

This gives the caller more control about whether the state should be cleaned (= should be considered secret). Moreover, it gives the caller the possibility to clean a hash struct without finalizing it.

test, ci: Lower default iteration count to 16

0f73caf

The number of test iterations in the CI remains unchanged. Additionally, the minimum iteration counts to enable the `test_ecmult_constants_2bit` test is adjusted from 35 to 16, so it is run by default.

Name public API structs

694342f

Do not export secp256k1_musig_nonce_gen_internal

145868a

tools: fix check-abi.sh after cmake out locations were changed

a306bb7

build: add ellswift.md and musig.md to release tarball

df2eceb

release: prepare for 0.6.0

39d5dfd

muxator force-pushed the frost branch from 58e494f to ac12c5b Compare April 1, 2025 06:28

matteonardelli force-pushed the ci-static-analyzer branch 2 times, most recently from bb1f6a8 to adf6186 Compare June 4, 2025 09:02

matteonardelli added 2 commits June 5, 2025 09:15

Merge secp256k1 v0.6.0' in frost

45c07f5

Fix uninitialized variable in tests

fb4ffcd

matteonardelli force-pushed the ci-static-analyzer branch from adf6186 to a09326c Compare June 5, 2025 07:23

matteonardelli and others added 9 commits June 9, 2025 12:28

Review FROST CI pipelines to enable/disable other modules

5abda04

Replace memset() with secp256k1_memclear()

8ed8dd4

Use the primitive implemented in secp256k1 to clean data in memory.

Review generate_shares function to use names as in the IETF proposal

4cf7b44

Code review: improve code reuse and modularization

3e52dbe

ci: run GCC 13 static analyzer on the code and fail on warnings

6067417

ci: explicitly disable every current module except for Frost. ROLLME

cdbb8d7

This is not automotic: we will have to periodically go through the available modules and turn them off.

ci: modernize toolchain. ubuntu 22.04 -> 24.04, fedora 38 -> 42, gcc …

04aa46f

…13 ->15. ROLLME On my local Fedora 42 machine, however, static analysis hangs indefinitely.

matteonardelli force-pushed the ci-static-analyzer branch from 522b092 to 04aa46f Compare June 11, 2025 14:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: run gcc 13 static analyzer #12

ci: run gcc 13 static analyzer #12

Uh oh!

muxator commented Jun 12, 2023 •

edited

Loading

Uh oh!

muxator commented Mar 18, 2025

Uh oh!

Uh oh!

ci: run gcc 13 static analyzer #12

Are you sure you want to change the base?

ci: run gcc 13 static analyzer #12

Uh oh!

Conversation

muxator commented Jun 12, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

muxator commented Mar 18, 2025

Uh oh!

Uh oh!

muxator commented Jun 12, 2023 •

edited

Loading