App Updates Blocked Due to Security Threat

Min API 3.1.0

Great work Mark. All appears to be working well. Out of curiosity would you mind detailing what you have had to change/disable when you get a few minutes. Thanks.

I started by turning off passes until things worked. By the time I got a working build, I'd turned off almost everything. The last thing I turned off was dce (dead code elimination), so I tried turning other passes on again. It eventually turned out that it was dce and "minimize locals" causing the problems.

The only suspicious thing I could think of with minimize locals is that it will re-use local 0 (which holds 'self') if there are no downstream uses (implied or otherwise) of self. So I turned that off, and with that change, and dce disabled things worked. I had to fix some bugs because dce isn't normally an optional pass, so minimize locals had never been tested with dce disabled, and it turned out to have an implicit assumption that there were no dead stores to locals (because dce should have removed them). But after fixing that it all worked.

So now I had to figure out what dce was doing that Garmin didn't like. I had a small project and I looked at all the changes with dce enabled and disabled, and for that project, nearly all the changes were the same.

Every module scope function (including global scope) begins with a store of the module into self. This is because the caller may have passed in a different scope, and lookups need to be made in the scope of the function's module. But many functions don't do any lookups (eg function foo(a, b) { return a+b; }), so dce will kill the store to self in those cases. And this is what Garmin's verifier was objecting to. So again this came down to messing around with stores to local 0.

So with those two changes, Garmin's store started accepting my uploads. At about this point, I got an email from Garmin asking if I was doing anything with stores to local 0 and suggesting that might be causing issues, which was a nice confirmation...

Thanks Mark - your knowledge of this stuff makes me envious :-)

It's great to see Garmin being proactive in trying to get this resolved.

P.S. Just wish they put the same level of effort into resolving their own outstanding issues (dig...dig....The Trial API is still not working since the last Website upgrade near enough 4 months ago )

Hi Kyle.ConnectIQ, I am not using the Prettier Monkey C to export or build my project, and I am facing this issue. A Datafield I'm developing was uploading without any issues (last release the 1st of May). Since yesterday, I'm blocked by the security threat message, without any notable change. I suppose that what is detected was already present in the code but now I have no clue what to look for as I'm not doing crazy things :) Is there a way to get in contact with someone from your side to understand what's wrong ?

Sam Dumont, if you could share the app that can't be updated that would be helpful. You can reply here or email [email protected]. 

Thanks a lot for the swift reply ! I just sent the info by mail

Why they don't say what is wrong? I can't update my app anymore and I thinking about deleting it. This is not the correct development process: your code is bad. Fix it.

Anyone using the Prettier Monkey C optimizer: do you see any problems uploading apps? See my comment here: https://forums.garmin.com/developer/connect-iq/f/discussion/371249/apps-disappeared-from-store

I can't try uploading the app without the optimizer, because on devices with 32kB DF memory or less it doesn't even start (Out of memory error)