Implement a robust overflows_type() macro to test if a variable or
constant value would overflow another variable or type. This can be
used as a constant expression for static_assert() (which requires a
constant expression[1][2]) when used on constant values. This must be
constructed manually, since __builtin_add_overflow() does not produce
a constant expression[3].
Additionally adds castable_to_type(), similar to __same_type(), but for
checking if a constant value would overflow if cast to a given type.
Add unit tests for overflows_type(), __same_type(), and castable_to_type()
to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
Cc: Luc Van Oostenryck <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Tom Rix <[email protected]>
Cc: Daniel Latypov <[email protected]>
Cc: Vitor Massaru Iha <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: [email protected]
Cc: [email protected]
Co-developed-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
v2:
- fix comment typo
- wrap clang pragma to avoid GCC warnings
- style nit cleanups
- rename __castable_to_type() to castable_to_type()
- remove prior overflows_type() definition
v1: https://lore.kernel.org/lkml/[email protected]
---
drivers/gpu/drm/i915/i915_utils.h | 4 -
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 ++++
lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++-
4 files changed, 436 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
index c10d68cdc3ca..d14b7faee054 100644
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -111,10 +111,6 @@ bool i915_error_injected(void);
#define range_overflows_end_t(type, start, size, max) \
range_overflows_end((type)(start), (type)(size), (type)(max))
-/* Note we don't consider signbits :| */
-#define overflows_type(x, T) \
- (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
-
#define ptr_mask_bits(ptr, n) ({ \
unsigned long __v = (unsigned long)(ptr); \
(typeof(ptr))(__v & -BIT(n)); \
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 7713d7bcdaea..c631107e93b1 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..58eb34aa2af9 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
(*_d >> _to_shift) != _a); \
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0 \
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0)
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0; \
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a constant expression, this will also resolve to a constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
+/**
+ * castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: variable or data type
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true. Otherwise, this falls
+ * back to __same_type().
+ */
+#define castable_to_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ !__overflows_type_constexpr(n, T), \
+ __same_type(n, T))
+
/**
* size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
*
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index f385ca652b74..fffc3f86181d 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -16,6 +16,11 @@
#include <linux/types.h>
#include <linux/vmalloc.h>
+/* We're expecting to do a lot of "always true" or "always false" tests. */
+#ifdef CONFIG_CC_IS_CLANG
+#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
+#endif
+
#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \
t1 a; \
@@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = {
#define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
-{ \
+{ \
check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
@@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test)
#undef check_one_size_helper
}
+static void overflows_type_test(struct kunit *test)
+{
+ int count = 0;
+ unsigned int var;
+
+#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
+ bool __of = func(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __of, of, \
+ "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
+ of ? "" : " not"); \
+ count++; \
+} while (0)
+
+/* Args are: first type, second type, value, overflow expected */
+#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
+ __t1 t1 = (v); \
+ __t2 t2; \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
+} while (0)
+
+ TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
+ TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
+#endif
+
+ /* Check for macro side-effects. */
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
+
+ kunit_info(test, "%d overflows_type() tests finished\n", count);
+#undef TEST_OVERFLOWS_TYPE
+#undef __TEST_OVERFLOWS_TYPE
+}
+
+static void same_type_test(struct kunit *test)
+{
+ int count = 0;
+ int var;
+
+#define TEST_SAME_TYPE(t1, t2, same) do { \
+ typeof(t1) __t1h = type_max(t1); \
+ typeof(t1) __t1l = type_min(t1); \
+ typeof(t2) __t2h = type_max(t2); \
+ typeof(t2) __t2l = type_min(t2); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
+} while (0)
+
+#if BITS_PER_LONG == 64
+# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
+#else
+# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
+#endif
+
+#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
+do { \
+ TEST_SAME_TYPE(base, u8, mu8); \
+ TEST_SAME_TYPE(base, u16, mu16); \
+ TEST_SAME_TYPE(base, u32, mu32); \
+ TEST_SAME_TYPE(base, s8, ms8); \
+ TEST_SAME_TYPE(base, s16, ms16); \
+ TEST_SAME_TYPE(base, s32, ms32); \
+ TEST_SAME_TYPE64(base, u64, mu64); \
+ TEST_SAME_TYPE64(base, s64, ms64); \
+} while (0)
+
+ TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
+ TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
+ TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
+ TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
+#if BITS_PER_LONG == 64
+ TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
+ TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
+#endif
+
+ /* Check for macro side-effects. */
+ var = 4;
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+
+ kunit_info(test, "%d __same_type() tests finished\n", count);
+
+#undef TEST_TYPE_SETS
+#undef TEST_SAME_TYPE64
+#undef TEST_SAME_TYPE
+}
+
+static void castable_to_type_test(struct kunit *test)
+{
+ int count = 0;
+
+#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
+ bool __pass = castable_to_type(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
+ "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
+ pass ? "" : " not"); \
+ count++; \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE(16, u8, true);
+ TEST_CASTABLE_TO_TYPE(16, u16, true);
+ TEST_CASTABLE_TO_TYPE(16, u32, true);
+ TEST_CASTABLE_TO_TYPE(16, s8, true);
+ TEST_CASTABLE_TO_TYPE(16, s16, true);
+ TEST_CASTABLE_TO_TYPE(16, s32, true);
+ TEST_CASTABLE_TO_TYPE(-16, s8, true);
+ TEST_CASTABLE_TO_TYPE(-16, s16, true);
+ TEST_CASTABLE_TO_TYPE(-16, s32, true);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE(16, u64, true);
+ TEST_CASTABLE_TO_TYPE(-16, s64, true);
+#endif
+
+#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expressions that fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
+ /* Constant expressions that do not fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
+} while (0)
+
+#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
+ unsigned long big = U ## width ## _MAX; \
+ signed long small = S ## width ## _MIN; \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expression in range. */ \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
+ /* Constant expression out of range. */ \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE_VAR(8);
+ TEST_CASTABLE_TO_TYPE_VAR(16);
+ TEST_CASTABLE_TO_TYPE_VAR(32);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_VAR(64);
+#endif
+
+ TEST_CASTABLE_TO_TYPE_RANGE(8);
+ TEST_CASTABLE_TO_TYPE_RANGE(16);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_RANGE(32);
+#endif
+ kunit_info(test, "%d castable_to_type() tests finished\n", count);
+
+#undef TEST_CASTABLE_TO_TYPE_RANGE
+#undef TEST_CASTABLE_TO_TYPE_VAR
+#undef TEST_CASTABLE_TO_TYPE
+}
+
static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(u8_u8__u8_overflow_test),
KUNIT_CASE(s8_s8__s8_overflow_test),
@@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(shift_nonsense_test),
KUNIT_CASE(overflow_allocation_test),
KUNIT_CASE(overflow_size_helpers_test),
+ KUNIT_CASE(overflows_type_test),
+ KUNIT_CASE(same_type_test),
+ KUNIT_CASE(castable_to_type_test),
{}
};
--
2.34.1
+ Arnd
On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <[email protected]> wrote:
> ---
> v2:
> - fix comment typo
> - wrap clang pragma to avoid GCC warnings
> - style nit cleanups
> - rename __castable_to_type() to castable_to_type()
> - remove prior overflows_type() definition
> v1: https://lore.kernel.org/lkml/[email protected]
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f385ca652b74..fffc3f86181d 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -16,6 +16,11 @@
> #include <linux/types.h>
> #include <linux/vmalloc.h>
>
> +/* We're expecting to do a lot of "always true" or "always false" tests. */
> +#ifdef CONFIG_CC_IS_CLANG
> +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
> +#endif
Any chance we can reuse parts of __diag_ignore or __diag_clang from
include/linux/compiler_types.h or include/linux/compiler-clang.h
respectively?
Those are needed for pragmas within preprocessor macros, which we
don't have here, but I suspect they may be more concise to use here.
> +#define TEST_SAME_TYPE(t1, t2, same) do { \
> + typeof(t1) __t1h = type_max(t1); \
> + typeof(t1) __t1l = type_min(t1); \
> + typeof(t2) __t2h = type_max(t2); \
> + typeof(t2) __t2l = type_min(t2); \
Can we use __auto_type here rather than typeof(macro expansion)?
--
Thanks,
~Nick Desaulniers
On Mon, Sep 26, 2022 at 01:17:18PM -0700, Nick Desaulniers wrote:
> + Arnd
>
> On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <[email protected]> wrote:
> > ---
> > v2:
> > - fix comment typo
> > - wrap clang pragma to avoid GCC warnings
> > - style nit cleanups
> > - rename __castable_to_type() to castable_to_type()
> > - remove prior overflows_type() definition
> > v1: https://lore.kernel.org/lkml/[email protected]
> > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> > index f385ca652b74..fffc3f86181d 100644
> > --- a/lib/overflow_kunit.c
> > +++ b/lib/overflow_kunit.c
> > @@ -16,6 +16,11 @@
> > #include <linux/types.h>
> > #include <linux/vmalloc.h>
> >
> > +/* We're expecting to do a lot of "always true" or "always false" tests. */
> > +#ifdef CONFIG_CC_IS_CLANG
> > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
> > +#endif
>
> Any chance we can reuse parts of __diag_ignore or __diag_clang from
> include/linux/compiler_types.h or include/linux/compiler-clang.h
> respectively?
Hm, I'm not sure how those are supposed to be used. Those defines don't
seem to be used externally?
> Those are needed for pragmas within preprocessor macros, which we
> don't have here, but I suspect they may be more concise to use here.
Yeah, I was surprised when I had to wrap it in #ifdef given "clang" is
part of the string.
>
> > +#define TEST_SAME_TYPE(t1, t2, same) do { \
> > + typeof(t1) __t1h = type_max(t1); \
> > + typeof(t1) __t1l = type_min(t1); \
> > + typeof(t2) __t2h = type_max(t2); \
> > + typeof(t2) __t2l = type_min(t2); \
>
> Can we use __auto_type here rather than typeof(macro expansion)?
I'd rather it stay explicit -- otherwise we start to wander into "oops,
we got lucky" territory for what should be a really distinct test case.
--
Kees Cook
On Mon, Sep 26, 2022, at 11:07 PM, Kees Cook wrote:
> On Mon, Sep 26, 2022 at 01:17:18PM -0700, Nick Desaulniers wrote:
>> + Arnd
>>
>> On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <[email protected]> wrote:
>> > ---
>> > v2:
>> > - fix comment typo
>> > - wrap clang pragma to avoid GCC warnings
>> > - style nit cleanups
>> > - rename __castable_to_type() to castable_to_type()
>> > - remove prior overflows_type() definition
>> > v1: https://lore.kernel.org/lkml/[email protected]
>> > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
>> > index f385ca652b74..fffc3f86181d 100644
>> > --- a/lib/overflow_kunit.c
>> > +++ b/lib/overflow_kunit.c
>> > @@ -16,6 +16,11 @@
>> > #include <linux/types.h>
>> > #include <linux/vmalloc.h>
>> >
>> > +/* We're expecting to do a lot of "always true" or "always false" tests. */
>> > +#ifdef CONFIG_CC_IS_CLANG
>> > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
>> > +#endif
>>
>> Any chance we can reuse parts of __diag_ignore or __diag_clang from
>> include/linux/compiler_types.h or include/linux/compiler-clang.h
>> respectively?
>
> Hm, I'm not sure how those are supposed to be used. Those defines don't
> seem to be used externally?
We use them in a couple of places. When I originally introduced
them, the idea was to add more infrastructure around these
to replace the various -Wno-... flags in local makefiles with
more targetted annotations, and then have a way to control
the warning levels (W=1 W=2 E=1 etc) per directory and per file,
but I never completed the work to add the interesting bits.
>> Those are needed for pragmas within preprocessor macros, which we
>> don't have here, but I suspect they may be more concise to use here.
>
> Yeah, I was surprised when I had to wrap it in #ifdef given "clang" is
> part of the string.
>
>>
>> > +#define TEST_SAME_TYPE(t1, t2, same) do { \
>> > + typeof(t1) __t1h = type_max(t1); \
>> > + typeof(t1) __t1l = type_min(t1); \
>> > + typeof(t2) __t2h = type_max(t2); \
>> > + typeof(t2) __t2l = type_min(t2); \
>>
>> Can we use __auto_type here rather than typeof(macro expansion)?
>
> I'd rather it stay explicit -- otherwise we start to wander into "oops,
> we got lucky" territory for what should be a really distinct test case.
The idea of __auto_type is to avoid the more deeply nested macros.
If the preprocessed file turns into an absolute mess, adding a temporary
variable may help. Not sure if that applies here.
Arnd
Hi Kees,
Thanks for update it to v2.
I'm leaving a comment because the patches this patch depends on aren't
part of one of the series.
If this patch alone is forwarded to the intel-gfx mailing, it will
report a build issue.
If this patch is only for review, please ignore my comments.
In order to remove overflows_type() from the i915 gpu driver and add the
updated overflows_type() to overflows.h, the following two patches must
be applied first because of dependencies.
"overflow: Allow mixed type arguments" [1][2]
"overflow: Introduce check_assign() and check_assign_user_ptr()" [2]
https://www.spinics.net/lists/kernel/msg4495457.html [1]
https://patchwork.freedesktop.org/patch/504792/?series=109063&rev=1 [2]
https://patchwork.freedesktop.org/patch/504791/?series=109063&rev=1 [3]
br,
G.G
On 9/26/22 10:11 PM, Kees Cook wrote:
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <[email protected]>
> Cc: Nathan Chancellor <[email protected]>
> Cc: Nick Desaulniers <[email protected]>
> Cc: Tom Rix <[email protected]>
> Cc: Daniel Latypov <[email protected]>
> Cc: Vitor Massaru Iha <[email protected]>
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Co-developed-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v2:
> - fix comment typo
> - wrap clang pragma to avoid GCC warnings
> - style nit cleanups
> - rename __castable_to_type() to castable_to_type()
> - remove prior overflows_type() definition
> v1: https://lore.kernel.org/lkml/[email protected]
> ---
> drivers/gpu/drm/i915/i915_utils.h | 4 -
> include/linux/compiler.h | 1 +
> include/linux/overflow.h | 48 ++++
> lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++-
> 4 files changed, 436 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
> index c10d68cdc3ca..d14b7faee054 100644
> --- a/drivers/gpu/drm/i915/i915_utils.h
> +++ b/drivers/gpu/drm/i915/i915_utils.h
> @@ -111,10 +111,6 @@ bool i915_error_injected(void);
> #define range_overflows_end_t(type, start, size, max) \
> range_overflows_end((type)(start), (type)(size), (type)(max))
>
> -/* Note we don't consider signbits :| */
> -#define overflows_type(x, T) \
> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
> -
> #define ptr_mask_bits(ptr, n) ({ \
> unsigned long __v = (unsigned long)(ptr); \
> (typeof(ptr))(__v & -BIT(n)); \
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 7713d7bcdaea..c631107e93b1 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
> * bool and also pointer types.
> */
> #define is_signed_type(type) (((type)(-1)) < (__force type)1)
> +#define is_unsigned_type(type) (!is_signed_type(type))
>
> /*
> * This is needed in functions which generate the stack canary, see
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 19dfdd74835e..58eb34aa2af9 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> (*_d >> _to_shift) != _a); \
> }))
>
> +#define __overflows_type_constexpr(x, T) ( \
> + is_unsigned_type(typeof(x)) ? \
> + (x) > type_max(typeof(T)) ? 1 : 0 \
> + : is_unsigned_type(typeof(T)) ? \
> + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> + : (x) < type_min(typeof(T)) || \
> + (x) > type_max(typeof(T)) ? 1 : 0)
> +
> +#define __overflows_type(x, T) ({ \
> + typeof(T) v = 0; \
> + check_add_overflow((x), v, &v); \
> +})
> +
> +/**
> + * overflows_type - helper for checking the overflows between value, variables,
> + * or data type
> + *
> + * @n: source constant value or variable to be checked
> + * @T: destination variable or data type proposed to store @x
> + *
> + * Compares the @x expression for whether or not it can safely fit in
> + * the storage of the type in @T. @x and @T can have different types.
> + * If @x is a constant expression, this will also resolve to a constant
> + * expression.
> + *
> + * Returns: true if overflow can occur, false otherwise.
> + */
> +#define overflows_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + __overflows_type_constexpr(n, T), \
> + __overflows_type(n, T))
> +
> +/**
> + * castable_to_type - like __same_type(), but also allows for casted literals
> + *
> + * @n: variable or constant value
> + * @T: variable or data type
> + *
> + * Unlike the __same_type() macro, this allows a constant value as the
> + * first argument. If this value would not overflow into an assignment
> + * of the second argument's type, it returns true. Otherwise, this falls
> + * back to __same_type().
> + */
> +#define castable_to_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + !__overflows_type_constexpr(n, T), \
> + __same_type(n, T))
> +
> /**
> * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
> *
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f385ca652b74..fffc3f86181d 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -16,6 +16,11 @@
> #include <linux/types.h>
> #include <linux/vmalloc.h>
>
> +/* We're expecting to do a lot of "always true" or "always false" tests. */
> +#ifdef CONFIG_CC_IS_CLANG
> +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
> +#endif
> +
> #define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
> static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \
> t1 a; \
> @@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = {
>
> #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
> static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
> -{ \
> +{ \
> check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
> check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
> check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
> @@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test)
> #undef check_one_size_helper
> }
>
> +static void overflows_type_test(struct kunit *test)
> +{
> + int count = 0;
> + unsigned int var;
> +
> +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
> + bool __of = func(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __of, of, \
> + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
> + of ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> +/* Args are: first type, second type, value, overflow expected */
> +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
> + __t1 t1 = (v); \
> + __t2 t2; \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
> +} while (0)
> +
> + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
> + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
> +
> + kunit_info(test, "%d overflows_type() tests finished\n", count);
> +#undef TEST_OVERFLOWS_TYPE
> +#undef __TEST_OVERFLOWS_TYPE
> +}
> +
> +static void same_type_test(struct kunit *test)
> +{
> + int count = 0;
> + int var;
> +
> +#define TEST_SAME_TYPE(t1, t2, same) do { \
> + typeof(t1) __t1h = type_max(t1); \
> + typeof(t1) __t1l = type_min(t1); \
> + typeof(t2) __t2h = type_max(t2); \
> + typeof(t2) __t2l = type_min(t2); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
> +} while (0)
> +
> +#if BITS_PER_LONG == 64
> +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
> +#else
> +# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
> +#endif
> +
> +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
> +do { \
> + TEST_SAME_TYPE(base, u8, mu8); \
> + TEST_SAME_TYPE(base, u16, mu16); \
> + TEST_SAME_TYPE(base, u32, mu32); \
> + TEST_SAME_TYPE(base, s8, ms8); \
> + TEST_SAME_TYPE(base, s16, ms16); \
> + TEST_SAME_TYPE(base, s32, ms32); \
> + TEST_SAME_TYPE64(base, u64, mu64); \
> + TEST_SAME_TYPE64(base, s64, ms64); \
> +} while (0)
> +
> + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
> + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
> + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
> + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
> +#if BITS_PER_LONG == 64
> + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
> + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = 4;
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> +
> + kunit_info(test, "%d __same_type() tests finished\n", count);
> +
> +#undef TEST_TYPE_SETS
> +#undef TEST_SAME_TYPE64
> +#undef TEST_SAME_TYPE
> +}
> +
> +static void castable_to_type_test(struct kunit *test)
> +{
> + int count = 0;
> +
> +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
> + bool __pass = castable_to_type(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
> + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
> + pass ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE(16, u8, true);
> + TEST_CASTABLE_TO_TYPE(16, u16, true);
> + TEST_CASTABLE_TO_TYPE(16, u32, true);
> + TEST_CASTABLE_TO_TYPE(16, s8, true);
> + TEST_CASTABLE_TO_TYPE(16, s16, true);
> + TEST_CASTABLE_TO_TYPE(16, s32, true);
> + TEST_CASTABLE_TO_TYPE(-16, s8, true);
> + TEST_CASTABLE_TO_TYPE(-16, s16, true);
> + TEST_CASTABLE_TO_TYPE(-16, s32, true);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE(16, u64, true);
> + TEST_CASTABLE_TO_TYPE(-16, s64, true);
> +#endif
> +
> +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expressions that fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
> + /* Constant expressions that do not fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
> +} while (0)
> +
> +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
> + unsigned long big = U ## width ## _MAX; \
> + signed long small = S ## width ## _MIN; \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expression in range. */ \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
> + /* Constant expression out of range. */ \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE_VAR(8);
> + TEST_CASTABLE_TO_TYPE_VAR(16);
> + TEST_CASTABLE_TO_TYPE_VAR(32);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_VAR(64);
> +#endif
> +
> + TEST_CASTABLE_TO_TYPE_RANGE(8);
> + TEST_CASTABLE_TO_TYPE_RANGE(16);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_RANGE(32);
> +#endif
> + kunit_info(test, "%d castable_to_type() tests finished\n", count);
> +
> +#undef TEST_CASTABLE_TO_TYPE_RANGE
> +#undef TEST_CASTABLE_TO_TYPE_VAR
> +#undef TEST_CASTABLE_TO_TYPE
> +}
> +
> static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(u8_u8__u8_overflow_test),
> KUNIT_CASE(s8_s8__s8_overflow_test),
> @@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(shift_nonsense_test),
> KUNIT_CASE(overflow_allocation_test),
> KUNIT_CASE(overflow_size_helpers_test),
> + KUNIT_CASE(overflows_type_test),
> + KUNIT_CASE(same_type_test),
> + KUNIT_CASE(castable_to_type_test),
> {}
> };
>
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on kees/for-next/hardening]
[also build test ERROR on next-20220927]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: x86_64-rhel-8.3-func
compiler: gcc-11 (Debian 11.3.0-5) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/gpu/drm/i915/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
In file included from drivers/gpu/drm/i915/i915_utils.h:29,
from drivers/gpu/drm/i915/i915_user_extensions.c:14:
drivers/gpu/drm/i915/i915_user_extensions.c: In function 'i915_user_extensions':
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:21: error: argument 2 in call to function '__builtin_add_overflow' does not have integral type
vim +33 include/linux/overflow.h
f0907827a8a915 Rasmus Villemoes 2018-05-08 8
f0907827a8a915 Rasmus Villemoes 2018-05-08 9 /*
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 10 * We need to compute the minimum and maximum values representable in a given
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 11 * type. These macros may also be useful elsewhere. It would seem more obvious
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 12 * to do something like:
f0907827a8a915 Rasmus Villemoes 2018-05-08 13 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 14 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 15 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 16 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 17 * Unfortunately, the middle expressions, strictly speaking, have
f0907827a8a915 Rasmus Villemoes 2018-05-08 18 * undefined behaviour, and at least some versions of gcc warn about
f0907827a8a915 Rasmus Villemoes 2018-05-08 19 * the type_max expression (but not if -fsanitize=undefined is in
f0907827a8a915 Rasmus Villemoes 2018-05-08 20 * effect; in that case, the warning is deferred to runtime...).
f0907827a8a915 Rasmus Villemoes 2018-05-08 21 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 22 * The slightly excessive casting in type_min is to make sure the
f0907827a8a915 Rasmus Villemoes 2018-05-08 23 * macros also produce sensible values for the exotic type _Bool. [The
f0907827a8a915 Rasmus Villemoes 2018-05-08 24 * overflow checkers only almost work for _Bool, but that's
f0907827a8a915 Rasmus Villemoes 2018-05-08 25 * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
f0907827a8a915 Rasmus Villemoes 2018-05-08 26 * _Bools. Besides, the gcc builtins don't allow _Bool* as third
f0907827a8a915 Rasmus Villemoes 2018-05-08 27 * argument.]
f0907827a8a915 Rasmus Villemoes 2018-05-08 28 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 29 * Idea stolen from
f0907827a8a915 Rasmus Villemoes 2018-05-08 30 * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
f0907827a8a915 Rasmus Villemoes 2018-05-08 31 * credit to Christian Biere.
f0907827a8a915 Rasmus Villemoes 2018-05-08 32 */
f0907827a8a915 Rasmus Villemoes 2018-05-08 @33 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 34 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 35 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
f0907827a8a915 Rasmus Villemoes 2018-05-08 36
--
0-DAY CI Kernel Test Service
https://01.org/lkp
Hi Kees,
To check the intel-gfx ci results and test results from other mailing
lists, I have rebased this patch and included it in this series [1].
[1] https://patchwork.freedesktop.org/series/109169/
G.G
On 9/26/22 10:11 PM, Kees Cook wrote:
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <[email protected]>
> Cc: Nathan Chancellor <[email protected]>
> Cc: Nick Desaulniers <[email protected]>
> Cc: Tom Rix <[email protected]>
> Cc: Daniel Latypov <[email protected]>
> Cc: Vitor Massaru Iha <[email protected]>
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Co-developed-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v2:
> - fix comment typo
> - wrap clang pragma to avoid GCC warnings
> - style nit cleanups
> - rename __castable_to_type() to castable_to_type()
> - remove prior overflows_type() definition
> v1: https://lore.kernel.org/lkml/[email protected]
> ---
> drivers/gpu/drm/i915/i915_utils.h | 4 -
> include/linux/compiler.h | 1 +
> include/linux/overflow.h | 48 ++++
> lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++-
> 4 files changed, 436 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
> index c10d68cdc3ca..d14b7faee054 100644
> --- a/drivers/gpu/drm/i915/i915_utils.h
> +++ b/drivers/gpu/drm/i915/i915_utils.h
> @@ -111,10 +111,6 @@ bool i915_error_injected(void);
> #define range_overflows_end_t(type, start, size, max) \
> range_overflows_end((type)(start), (type)(size), (type)(max))
>
> -/* Note we don't consider signbits :| */
> -#define overflows_type(x, T) \
> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
> -
> #define ptr_mask_bits(ptr, n) ({ \
> unsigned long __v = (unsigned long)(ptr); \
> (typeof(ptr))(__v & -BIT(n)); \
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 7713d7bcdaea..c631107e93b1 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
> * bool and also pointer types.
> */
> #define is_signed_type(type) (((type)(-1)) < (__force type)1)
> +#define is_unsigned_type(type) (!is_signed_type(type))
>
> /*
> * This is needed in functions which generate the stack canary, see
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 19dfdd74835e..58eb34aa2af9 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> (*_d >> _to_shift) != _a); \
> }))
>
> +#define __overflows_type_constexpr(x, T) ( \
> + is_unsigned_type(typeof(x)) ? \
> + (x) > type_max(typeof(T)) ? 1 : 0 \
> + : is_unsigned_type(typeof(T)) ? \
> + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> + : (x) < type_min(typeof(T)) || \
> + (x) > type_max(typeof(T)) ? 1 : 0)
> +
> +#define __overflows_type(x, T) ({ \
> + typeof(T) v = 0; \
> + check_add_overflow((x), v, &v); \
> +})
> +
> +/**
> + * overflows_type - helper for checking the overflows between value, variables,
> + * or data type
> + *
> + * @n: source constant value or variable to be checked
> + * @T: destination variable or data type proposed to store @x
> + *
> + * Compares the @x expression for whether or not it can safely fit in
> + * the storage of the type in @T. @x and @T can have different types.
> + * If @x is a constant expression, this will also resolve to a constant
> + * expression.
> + *
> + * Returns: true if overflow can occur, false otherwise.
> + */
> +#define overflows_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + __overflows_type_constexpr(n, T), \
> + __overflows_type(n, T))
> +
> +/**
> + * castable_to_type - like __same_type(), but also allows for casted literals
> + *
> + * @n: variable or constant value
> + * @T: variable or data type
> + *
> + * Unlike the __same_type() macro, this allows a constant value as the
> + * first argument. If this value would not overflow into an assignment
> + * of the second argument's type, it returns true. Otherwise, this falls
> + * back to __same_type().
> + */
> +#define castable_to_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + !__overflows_type_constexpr(n, T), \
> + __same_type(n, T))
> +
> /**
> * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
> *
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f385ca652b74..fffc3f86181d 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -16,6 +16,11 @@
> #include <linux/types.h>
> #include <linux/vmalloc.h>
>
> +/* We're expecting to do a lot of "always true" or "always false" tests. */
> +#ifdef CONFIG_CC_IS_CLANG
> +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
> +#endif
> +
> #define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
> static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \
> t1 a; \
> @@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = {
>
> #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
> static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
> -{ \
> +{ \
> check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
> check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
> check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
> @@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test)
> #undef check_one_size_helper
> }
>
> +static void overflows_type_test(struct kunit *test)
> +{
> + int count = 0;
> + unsigned int var;
> +
> +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
> + bool __of = func(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __of, of, \
> + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
> + of ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> +/* Args are: first type, second type, value, overflow expected */
> +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
> + __t1 t1 = (v); \
> + __t2 t2; \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
> +} while (0)
> +
> + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
> + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
> +
> + kunit_info(test, "%d overflows_type() tests finished\n", count);
> +#undef TEST_OVERFLOWS_TYPE
> +#undef __TEST_OVERFLOWS_TYPE
> +}
> +
> +static void same_type_test(struct kunit *test)
> +{
> + int count = 0;
> + int var;
> +
> +#define TEST_SAME_TYPE(t1, t2, same) do { \
> + typeof(t1) __t1h = type_max(t1); \
> + typeof(t1) __t1l = type_min(t1); \
> + typeof(t2) __t2h = type_max(t2); \
> + typeof(t2) __t2l = type_min(t2); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
> +} while (0)
> +
> +#if BITS_PER_LONG == 64
> +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
> +#else
> +# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
> +#endif
> +
> +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
> +do { \
> + TEST_SAME_TYPE(base, u8, mu8); \
> + TEST_SAME_TYPE(base, u16, mu16); \
> + TEST_SAME_TYPE(base, u32, mu32); \
> + TEST_SAME_TYPE(base, s8, ms8); \
> + TEST_SAME_TYPE(base, s16, ms16); \
> + TEST_SAME_TYPE(base, s32, ms32); \
> + TEST_SAME_TYPE64(base, u64, mu64); \
> + TEST_SAME_TYPE64(base, s64, ms64); \
> +} while (0)
> +
> + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
> + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
> + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
> + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
> +#if BITS_PER_LONG == 64
> + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
> + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = 4;
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> +
> + kunit_info(test, "%d __same_type() tests finished\n", count);
> +
> +#undef TEST_TYPE_SETS
> +#undef TEST_SAME_TYPE64
> +#undef TEST_SAME_TYPE
> +}
> +
> +static void castable_to_type_test(struct kunit *test)
> +{
> + int count = 0;
> +
> +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
> + bool __pass = castable_to_type(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
> + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
> + pass ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE(16, u8, true);
> + TEST_CASTABLE_TO_TYPE(16, u16, true);
> + TEST_CASTABLE_TO_TYPE(16, u32, true);
> + TEST_CASTABLE_TO_TYPE(16, s8, true);
> + TEST_CASTABLE_TO_TYPE(16, s16, true);
> + TEST_CASTABLE_TO_TYPE(16, s32, true);
> + TEST_CASTABLE_TO_TYPE(-16, s8, true);
> + TEST_CASTABLE_TO_TYPE(-16, s16, true);
> + TEST_CASTABLE_TO_TYPE(-16, s32, true);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE(16, u64, true);
> + TEST_CASTABLE_TO_TYPE(-16, s64, true);
> +#endif
> +
> +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expressions that fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
> + /* Constant expressions that do not fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
> +} while (0)
> +
> +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
> + unsigned long big = U ## width ## _MAX; \
> + signed long small = S ## width ## _MIN; \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expression in range. */ \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
> + /* Constant expression out of range. */ \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE_VAR(8);
> + TEST_CASTABLE_TO_TYPE_VAR(16);
> + TEST_CASTABLE_TO_TYPE_VAR(32);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_VAR(64);
> +#endif
> +
> + TEST_CASTABLE_TO_TYPE_RANGE(8);
> + TEST_CASTABLE_TO_TYPE_RANGE(16);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_RANGE(32);
> +#endif
> + kunit_info(test, "%d castable_to_type() tests finished\n", count);
> +
> +#undef TEST_CASTABLE_TO_TYPE_RANGE
> +#undef TEST_CASTABLE_TO_TYPE_VAR
> +#undef TEST_CASTABLE_TO_TYPE
> +}
> +
> static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(u8_u8__u8_overflow_test),
> KUNIT_CASE(s8_s8__s8_overflow_test),
> @@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(shift_nonsense_test),
> KUNIT_CASE(overflow_allocation_test),
> KUNIT_CASE(overflow_size_helpers_test),
> + KUNIT_CASE(overflows_type_test),
> + KUNIT_CASE(same_type_test),
> + KUNIT_CASE(castable_to_type_test),
> {}
> };
>
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on kees/for-next/hardening]
[also build test ERROR on next-20220928]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: i386-defconfig
compiler: gcc-11 (Debian 11.3.0-5) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
In file included from drivers/gpu/drm/i915/i915_utils.h:29,
from drivers/gpu/drm/i915/i915_user_extensions.c:14:
drivers/gpu/drm/i915/i915_user_extensions.c: In function 'i915_user_extensions':
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: error: argument 2 in call to function '__builtin_add_overflow' does not have integral type
vim +33 include/linux/overflow.h
f0907827a8a915 Rasmus Villemoes 2018-05-08 8
f0907827a8a915 Rasmus Villemoes 2018-05-08 9 /*
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 10 * We need to compute the minimum and maximum values representable in a given
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 11 * type. These macros may also be useful elsewhere. It would seem more obvious
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 12 * to do something like:
f0907827a8a915 Rasmus Villemoes 2018-05-08 13 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 14 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 15 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 16 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 17 * Unfortunately, the middle expressions, strictly speaking, have
f0907827a8a915 Rasmus Villemoes 2018-05-08 18 * undefined behaviour, and at least some versions of gcc warn about
f0907827a8a915 Rasmus Villemoes 2018-05-08 19 * the type_max expression (but not if -fsanitize=undefined is in
f0907827a8a915 Rasmus Villemoes 2018-05-08 20 * effect; in that case, the warning is deferred to runtime...).
f0907827a8a915 Rasmus Villemoes 2018-05-08 21 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 22 * The slightly excessive casting in type_min is to make sure the
f0907827a8a915 Rasmus Villemoes 2018-05-08 23 * macros also produce sensible values for the exotic type _Bool. [The
f0907827a8a915 Rasmus Villemoes 2018-05-08 24 * overflow checkers only almost work for _Bool, but that's
f0907827a8a915 Rasmus Villemoes 2018-05-08 25 * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
f0907827a8a915 Rasmus Villemoes 2018-05-08 26 * _Bools. Besides, the gcc builtins don't allow _Bool* as third
f0907827a8a915 Rasmus Villemoes 2018-05-08 27 * argument.]
f0907827a8a915 Rasmus Villemoes 2018-05-08 28 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 29 * Idea stolen from
f0907827a8a915 Rasmus Villemoes 2018-05-08 30 * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
f0907827a8a915 Rasmus Villemoes 2018-05-08 31 * credit to Christian Biere.
f0907827a8a915 Rasmus Villemoes 2018-05-08 32 */
f0907827a8a915 Rasmus Villemoes 2018-05-08 @33 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 34 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 35 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
f0907827a8a915 Rasmus Villemoes 2018-05-08 36
--
0-DAY CI Kernel Test Service
https://01.org/lkp
Hi Kees,
I love your patch! Perhaps something to improve:
[auto build test WARNING on kees/for-next/hardening]
[also build test WARNING on next-20220928]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: i386-randconfig-a013
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash drivers/gpu/drm/i915/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:7: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:20: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:20: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:18: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid argument type 'typeof (ext)' (aka 'struct i915_user_extension *') to unary expression
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:29: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:9: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:11: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:11: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: operand argument to overflow builtin must be an integer ('typeof (ext)' (aka 'struct i915_user_extension *') invalid)
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:160:10: note: expanded from macro 'overflows_type'
__overflows_type(n, T))
^~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:140:26: note: expanded from macro '__overflows_type'
check_add_overflow((x), v, &v); \
^
include/linux/overflow.h:67:50: note: expanded from macro 'check_add_overflow'
__must_check_overflow(__builtin_add_overflow(a, b, d))
^
4 warnings and 10 errors generated.
vim +54 drivers/gpu/drm/i915/i915_user_extensions.c
9d1305ef80b95d Chris Wilson 2019-03-22 15
9d1305ef80b95d Chris Wilson 2019-03-22 16 int i915_user_extensions(struct i915_user_extension __user *ext,
9d1305ef80b95d Chris Wilson 2019-03-22 17 const i915_user_extension_fn *tbl,
9d1305ef80b95d Chris Wilson 2019-03-22 18 unsigned int count,
9d1305ef80b95d Chris Wilson 2019-03-22 19 void *data)
9d1305ef80b95d Chris Wilson 2019-03-22 20 {
9d1305ef80b95d Chris Wilson 2019-03-22 21 unsigned int stackdepth = 512;
9d1305ef80b95d Chris Wilson 2019-03-22 22
9d1305ef80b95d Chris Wilson 2019-03-22 23 while (ext) {
9d1305ef80b95d Chris Wilson 2019-03-22 24 int i, err;
9d1305ef80b95d Chris Wilson 2019-03-22 25 u32 name;
9d1305ef80b95d Chris Wilson 2019-03-22 26 u64 next;
9d1305ef80b95d Chris Wilson 2019-03-22 27
9d1305ef80b95d Chris Wilson 2019-03-22 28 if (!stackdepth--) /* recursion vs useful flexibility */
9d1305ef80b95d Chris Wilson 2019-03-22 29 return -E2BIG;
9d1305ef80b95d Chris Wilson 2019-03-22 30
9d1305ef80b95d Chris Wilson 2019-03-22 31 err = check_user_mbz(&ext->flags);
9d1305ef80b95d Chris Wilson 2019-03-22 32 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 33 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 34
9d1305ef80b95d Chris Wilson 2019-03-22 35 for (i = 0; i < ARRAY_SIZE(ext->rsvd); i++) {
9d1305ef80b95d Chris Wilson 2019-03-22 36 err = check_user_mbz(&ext->rsvd[i]);
9d1305ef80b95d Chris Wilson 2019-03-22 37 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 38 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 39 }
9d1305ef80b95d Chris Wilson 2019-03-22 40
9d1305ef80b95d Chris Wilson 2019-03-22 41 if (get_user(name, &ext->name))
9d1305ef80b95d Chris Wilson 2019-03-22 42 return -EFAULT;
9d1305ef80b95d Chris Wilson 2019-03-22 43
9d1305ef80b95d Chris Wilson 2019-03-22 44 err = -EINVAL;
9d1305ef80b95d Chris Wilson 2019-03-22 45 if (name < count) {
9d1305ef80b95d Chris Wilson 2019-03-22 46 name = array_index_nospec(name, count);
9d1305ef80b95d Chris Wilson 2019-03-22 47 if (tbl[name])
9d1305ef80b95d Chris Wilson 2019-03-22 48 err = tbl[name](ext, data);
9d1305ef80b95d Chris Wilson 2019-03-22 49 }
9d1305ef80b95d Chris Wilson 2019-03-22 50 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 51 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 52
9d1305ef80b95d Chris Wilson 2019-03-22 53 if (get_user(next, &ext->next_extension) ||
9d1305ef80b95d Chris Wilson 2019-03-22 @54 overflows_type(next, ext))
--
0-DAY CI Kernel Test Service
https://01.org/lkp
From: Kees Cook <[email protected]>
Implement a robust overflows_type() macro to test if a variable or
constant value would overflow another variable or type. This can be
used as a constant expression for static_assert() (which requires a
constant expression[1][2]) when used on constant values. This must be
constructed manually, since __builtin_add_overflow() does not produce
a constant expression[3].
Additionally adds castable_to_type(), similar to __same_type(), but for
checking if a constant value would overflow if cast to a given type.
Add unit tests for overflows_type(), __same_type(), and castable_to_type()
to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
v3: Chagne to use uintptr_t type when checking for overflow of pointer type
variable
Cc: Luc Van Oostenryck <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Tom Rix <[email protected]>
Cc: Daniel Latypov <[email protected]>
Cc: Vitor Massaru Iha <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: [email protected]
Cc: [email protected]
Co-developed-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
drivers/gpu/drm/i915/i915_user_extensions.c | 2 +-
drivers/gpu/drm/i915/i915_utils.h | 4 -
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 +++
lib/overflow_kunit.c | 388 +++++++++++++++++++-
5 files changed, 437 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_user_extensions.c b/drivers/gpu/drm/i915/i915_user_extensions.c
index c822d0aafd2d..e3f808372c47 100644
--- a/drivers/gpu/drm/i915/i915_user_extensions.c
+++ b/drivers/gpu/drm/i915/i915_user_extensions.c
@@ -51,7 +51,7 @@ int i915_user_extensions(struct i915_user_extension __user *ext,
return err;
if (get_user(next, &ext->next_extension) ||
- overflows_type(next, ext))
+ overflows_type(next, uintptr_t))
return -EFAULT;
ext = u64_to_user_ptr(next);
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
index 6c14d13364bf..67a66d4d5c70 100644
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -111,10 +111,6 @@ bool i915_error_injected(void);
#define range_overflows_end_t(type, start, size, max) \
range_overflows_end((type)(start), (type)(size), (type)(max))
-/* Note we don't consider signbits :| */
-#define overflows_type(x, T) \
- (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
-
#define ptr_mask_bits(ptr, n) ({ \
unsigned long __v = (unsigned long)(ptr); \
(typeof(ptr))(__v & -BIT(n)); \
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 7713d7bcdaea..c631107e93b1 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..58eb34aa2af9 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
(*_d >> _to_shift) != _a); \
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0 \
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0)
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0; \
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a constant expression, this will also resolve to a constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
+/**
+ * castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: variable or data type
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true. Otherwise, this falls
+ * back to __same_type().
+ */
+#define castable_to_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ !__overflows_type_constexpr(n, T), \
+ __same_type(n, T))
+
/**
* size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
*
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index 0d98c9bc75da..44da9d190057 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -16,6 +16,11 @@
#include <linux/types.h>
#include <linux/vmalloc.h>
+/* We're expecting to do a lot of "always true" or "always false" tests. */
+#ifdef CONFIG_CC_IS_CLANG
+#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
+#endif
+
#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \
t1 a; \
@@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = {
#define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
-{ \
+{ \
check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
@@ -687,6 +692,384 @@ static void overflow_size_helpers_test(struct kunit *test)
#undef check_one_size_helper
}
+static void overflows_type_test(struct kunit *test)
+{
+ int count = 0;
+ unsigned int var;
+
+#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
+ bool __of = func(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __of, of, \
+ "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
+ of ? "" : " not"); \
+ count++; \
+} while (0)
+
+/* Args are: first type, second type, value, overflow expected */
+#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
+ __t1 t1 = (v); \
+ __t2 t2; \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
+} while (0)
+
+ TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
+ TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
+#endif
+
+ /* Check for macro side-effects. */
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
+
+ kunit_info(test, "%d overflows_type() tests finished\n", count);
+#undef TEST_OVERFLOWS_TYPE
+#undef __TEST_OVERFLOWS_TYPE
+}
+
+static void same_type_test(struct kunit *test)
+{
+ int count = 0;
+ int var;
+
+#define TEST_SAME_TYPE(t1, t2, same) do { \
+ typeof(t1) __t1h = type_max(t1); \
+ typeof(t1) __t1l = type_min(t1); \
+ typeof(t2) __t2h = type_max(t2); \
+ typeof(t2) __t2l = type_min(t2); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
+} while (0)
+
+#if BITS_PER_LONG == 64
+# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
+#else
+# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
+#endif
+
+#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
+do { \
+ TEST_SAME_TYPE(base, u8, mu8); \
+ TEST_SAME_TYPE(base, u16, mu16); \
+ TEST_SAME_TYPE(base, u32, mu32); \
+ TEST_SAME_TYPE(base, s8, ms8); \
+ TEST_SAME_TYPE(base, s16, ms16); \
+ TEST_SAME_TYPE(base, s32, ms32); \
+ TEST_SAME_TYPE64(base, u64, mu64); \
+ TEST_SAME_TYPE64(base, s64, ms64); \
+} while (0)
+
+ TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
+ TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
+ TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
+ TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
+#if BITS_PER_LONG == 64
+ TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
+ TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
+#endif
+
+ /* Check for macro side-effects. */
+ var = 4;
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+
+ kunit_info(test, "%d __same_type() tests finished\n", count);
+
+#undef TEST_TYPE_SETS
+#undef TEST_SAME_TYPE64
+#undef TEST_SAME_TYPE
+}
+
+static void castable_to_type_test(struct kunit *test)
+{
+ int count = 0;
+
+#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
+ bool __pass = castable_to_type(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
+ "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
+ pass ? "" : " not"); \
+ count++; \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE(16, u8, true);
+ TEST_CASTABLE_TO_TYPE(16, u16, true);
+ TEST_CASTABLE_TO_TYPE(16, u32, true);
+ TEST_CASTABLE_TO_TYPE(16, s8, true);
+ TEST_CASTABLE_TO_TYPE(16, s16, true);
+ TEST_CASTABLE_TO_TYPE(16, s32, true);
+ TEST_CASTABLE_TO_TYPE(-16, s8, true);
+ TEST_CASTABLE_TO_TYPE(-16, s16, true);
+ TEST_CASTABLE_TO_TYPE(-16, s32, true);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE(16, u64, true);
+ TEST_CASTABLE_TO_TYPE(-16, s64, true);
+#endif
+
+#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expressions that fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
+ /* Constant expressions that do not fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
+} while (0)
+
+#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
+ unsigned long big = U ## width ## _MAX; \
+ signed long small = S ## width ## _MIN; \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expression in range. */ \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
+ /* Constant expression out of range. */ \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE_VAR(8);
+ TEST_CASTABLE_TO_TYPE_VAR(16);
+ TEST_CASTABLE_TO_TYPE_VAR(32);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_VAR(64);
+#endif
+
+ TEST_CASTABLE_TO_TYPE_RANGE(8);
+ TEST_CASTABLE_TO_TYPE_RANGE(16);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_RANGE(32);
+#endif
+ kunit_info(test, "%d castable_to_type() tests finished\n", count);
+
+#undef TEST_CASTABLE_TO_TYPE_RANGE
+#undef TEST_CASTABLE_TO_TYPE_VAR
+#undef TEST_CASTABLE_TO_TYPE
+}
+
static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(u8_u8__u8_overflow_test),
KUNIT_CASE(s8_s8__s8_overflow_test),
@@ -706,6 +1089,9 @@ static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(overflow_shift_test),
KUNIT_CASE(overflow_allocation_test),
KUNIT_CASE(overflow_size_helpers_test),
+ KUNIT_CASE(overflows_type_test),
+ KUNIT_CASE(same_type_test),
+ KUNIT_CASE(castable_to_type_test),
{}
};
--
2.37.1
On Thu, 13 Oct 2022, Gwan-gyeong Mun <[email protected]> wrote:
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index 0d98c9bc75da..44da9d190057 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -16,6 +16,11 @@
> #include <linux/types.h>
> #include <linux/vmalloc.h>
>
> +/* We're expecting to do a lot of "always true" or "always false" tests. */
> +#ifdef CONFIG_CC_IS_CLANG
> +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare"
> +#endif
I thought #pragma was discouraged. I didn't try this, but would
something like this work in the Makefile instead:
CFLAGS_overflow_kunit.o = $(call cc-disable-warning, tautological-constant-out-of-range-compare)
Sorry for not noticing before. If you all think pragma is fine, sorry
for the noise.
BR,
Jani.
--
Jani Nikula, Intel Open Source Graphics Center
From: Kees Cook <[email protected]>
Implement a robust overflows_type() macro to test if a variable or
constant value would overflow another variable or type. This can be
used as a constant expression for static_assert() (which requires a
constant expression[1][2]) when used on constant values. This must be
constructed manually, since __builtin_add_overflow() does not produce
a constant expression[3].
Additionally adds castable_to_type(), similar to __same_type(), but for
checking if a constant value would overflow if cast to a given type.
Add unit tests for overflows_type(), __same_type(), and castable_to_type()
to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
Cc: Luc Van Oostenryck <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Tom Rix <[email protected]>
Cc: Daniel Latypov <[email protected]>
Cc: Vitor Massaru Iha <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: Jani Nikula <[email protected]>
Cc: Mauro Carvalho Chehab <[email protected]>
Cc: [email protected]
Cc: [email protected]
Co-developed-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
v4:
- move version v2 changelog commit message to under the --- marker (Mauro)
- remove the #pragma addition in the code and modify the Makefile to handle the
same feature (Jani)
v3:
- chagne to use uintptr_t type when checking for overflow of pointer type
variable
v2:
- fix comment typo
- wrap clang pragma to avoid GCC warnings
- style nit cleanups
- rename __castable_to_type() to castable_to_type()
- remove prior overflows_type() definition
v1: https://lore.kernel.org/lkml/[email protected]
---
drivers/gpu/drm/i915/i915_user_extensions.c | 2 +-
drivers/gpu/drm/i915/i915_utils.h | 4 -
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 +++
lib/Makefile | 4 +
lib/overflow_kunit.c | 383 +++++++++++++++++++-
6 files changed, 436 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_user_extensions.c b/drivers/gpu/drm/i915/i915_user_extensions.c
index c822d0aafd2d..e3f808372c47 100644
--- a/drivers/gpu/drm/i915/i915_user_extensions.c
+++ b/drivers/gpu/drm/i915/i915_user_extensions.c
@@ -51,7 +51,7 @@ int i915_user_extensions(struct i915_user_extension __user *ext,
return err;
if (get_user(next, &ext->next_extension) ||
- overflows_type(next, ext))
+ overflows_type(next, uintptr_t))
return -EFAULT;
ext = u64_to_user_ptr(next);
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
index 6c14d13364bf..67a66d4d5c70 100644
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -111,10 +111,6 @@ bool i915_error_injected(void);
#define range_overflows_end_t(type, start, size, max) \
range_overflows_end((type)(start), (type)(size), (type)(max))
-/* Note we don't consider signbits :| */
-#define overflows_type(x, T) \
- (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
-
#define ptr_mask_bits(ptr, n) ({ \
unsigned long __v = (unsigned long)(ptr); \
(typeof(ptr))(__v & -BIT(n)); \
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 973a1bfd7ef5..947a60b801db 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -236,6 +236,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..58eb34aa2af9 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
(*_d >> _to_shift) != _a); \
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0 \
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0)
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0; \
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a constant expression, this will also resolve to a constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
+/**
+ * castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: variable or data type
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true. Otherwise, this falls
+ * back to __same_type().
+ */
+#define castable_to_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ !__overflows_type_constexpr(n, T), \
+ __same_type(n, T))
+
/**
* size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
*
diff --git a/lib/Makefile b/lib/Makefile
index 161d6a724ff7..e061aad90539 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
+# We're expecting to do a lot of "always true" or "always false" tests.
+ifdef CONFIG_CC_IS_CLANG
+CFLAGS_overflow_kunit.o += $(call cc-disable-warning, tautological-constant-out-of-range-compare)
+endif
obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index 5369634701fa..edd3baf1fe6f 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -246,7 +246,7 @@ DEFINE_TEST_ARRAY(s64) = {
#define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
-{ \
+{ \
check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
@@ -708,6 +708,384 @@ static void overflow_size_helpers_test(struct kunit *test)
#undef check_one_size_helper
}
+static void overflows_type_test(struct kunit *test)
+{
+ int count = 0;
+ unsigned int var;
+
+#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
+ bool __of = func(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __of, of, \
+ "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
+ of ? "" : " not"); \
+ count++; \
+} while (0)
+
+/* Args are: first type, second type, value, overflow expected */
+#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
+ __t1 t1 = (v); \
+ __t2 t2; \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
+} while (0)
+
+ TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
+ TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
+#endif
+
+ /* Check for macro side-effects. */
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
+
+ kunit_info(test, "%d overflows_type() tests finished\n", count);
+#undef TEST_OVERFLOWS_TYPE
+#undef __TEST_OVERFLOWS_TYPE
+}
+
+static void same_type_test(struct kunit *test)
+{
+ int count = 0;
+ int var;
+
+#define TEST_SAME_TYPE(t1, t2, same) do { \
+ typeof(t1) __t1h = type_max(t1); \
+ typeof(t1) __t1l = type_min(t1); \
+ typeof(t2) __t2h = type_max(t2); \
+ typeof(t2) __t2l = type_min(t2); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
+} while (0)
+
+#if BITS_PER_LONG == 64
+# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
+#else
+# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
+#endif
+
+#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
+do { \
+ TEST_SAME_TYPE(base, u8, mu8); \
+ TEST_SAME_TYPE(base, u16, mu16); \
+ TEST_SAME_TYPE(base, u32, mu32); \
+ TEST_SAME_TYPE(base, s8, ms8); \
+ TEST_SAME_TYPE(base, s16, ms16); \
+ TEST_SAME_TYPE(base, s32, ms32); \
+ TEST_SAME_TYPE64(base, u64, mu64); \
+ TEST_SAME_TYPE64(base, s64, ms64); \
+} while (0)
+
+ TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
+ TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
+ TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
+ TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
+#if BITS_PER_LONG == 64
+ TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
+ TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
+#endif
+
+ /* Check for macro side-effects. */
+ var = 4;
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+
+ kunit_info(test, "%d __same_type() tests finished\n", count);
+
+#undef TEST_TYPE_SETS
+#undef TEST_SAME_TYPE64
+#undef TEST_SAME_TYPE
+}
+
+static void castable_to_type_test(struct kunit *test)
+{
+ int count = 0;
+
+#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
+ bool __pass = castable_to_type(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
+ "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
+ pass ? "" : " not"); \
+ count++; \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE(16, u8, true);
+ TEST_CASTABLE_TO_TYPE(16, u16, true);
+ TEST_CASTABLE_TO_TYPE(16, u32, true);
+ TEST_CASTABLE_TO_TYPE(16, s8, true);
+ TEST_CASTABLE_TO_TYPE(16, s16, true);
+ TEST_CASTABLE_TO_TYPE(16, s32, true);
+ TEST_CASTABLE_TO_TYPE(-16, s8, true);
+ TEST_CASTABLE_TO_TYPE(-16, s16, true);
+ TEST_CASTABLE_TO_TYPE(-16, s32, true);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE(16, u64, true);
+ TEST_CASTABLE_TO_TYPE(-16, s64, true);
+#endif
+
+#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expressions that fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
+ /* Constant expressions that do not fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
+} while (0)
+
+#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
+ unsigned long big = U ## width ## _MAX; \
+ signed long small = S ## width ## _MIN; \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expression in range. */ \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
+ /* Constant expression out of range. */ \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE_VAR(8);
+ TEST_CASTABLE_TO_TYPE_VAR(16);
+ TEST_CASTABLE_TO_TYPE_VAR(32);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_VAR(64);
+#endif
+
+ TEST_CASTABLE_TO_TYPE_RANGE(8);
+ TEST_CASTABLE_TO_TYPE_RANGE(16);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_RANGE(32);
+#endif
+ kunit_info(test, "%d castable_to_type() tests finished\n", count);
+
+#undef TEST_CASTABLE_TO_TYPE_RANGE
+#undef TEST_CASTABLE_TO_TYPE_VAR
+#undef TEST_CASTABLE_TO_TYPE
+}
+
static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(u8_u8__u8_overflow_test),
KUNIT_CASE(s8_s8__s8_overflow_test),
@@ -730,6 +1108,9 @@ static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(shift_nonsense_test),
KUNIT_CASE(overflow_allocation_test),
KUNIT_CASE(overflow_size_helpers_test),
+ KUNIT_CASE(overflows_type_test),
+ KUNIT_CASE(same_type_test),
+ KUNIT_CASE(castable_to_type_test),
{}
};
--
2.37.1
Hi Gwan-gyeong,
On Fri, Oct 21, 2022 at 11:33:33AM +0300, Gwan-gyeong Mun wrote:
> From: Kees Cook <[email protected]>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <[email protected]>
> Cc: Nathan Chancellor <[email protected]>
> Cc: Nick Desaulniers <[email protected]>
> Cc: Tom Rix <[email protected]>
> Cc: Daniel Latypov <[email protected]>
> Cc: Vitor Massaru Iha <[email protected]>
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: Jani Nikula <[email protected]>
> Cc: Mauro Carvalho Chehab <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Co-developed-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
<snip>
> diff --git a/lib/Makefile b/lib/Makefile
> index 161d6a724ff7..e061aad90539 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
> obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
> obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
> obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
> +# We're expecting to do a lot of "always true" or "always false" tests.
> +ifdef CONFIG_CC_IS_CLANG
> +CFLAGS_overflow_kunit.o += $(call cc-disable-warning, tautological-constant-out-of-range-compare)
If you are going to wrap this in CONFIG_CC_IS_CLANG (which is good),
drop the cc-disable-warning and just disable the warning directly.
CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
All kernel supported clang versions support this warning so there is no
point in checking for its existence before disabling it with
cc-disable-warning. scripts/Makefile.extrawarn does this as well.
> +endif
> obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
> CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
> obj-$(CONFIG_ST&ACKINIT_KUNIT_TEST) += stackinit_kunit.o
Cheers,
Nathan
From: Kees Cook <[email protected]>
Implement a robust overflows_type() macro to test if a variable or
constant value would overflow another variable or type. This can be
used as a constant expression for static_assert() (which requires a
constant expression[1][2]) when used on constant values. This must be
constructed manually, since __builtin_add_overflow() does not produce
a constant expression[3].
Additionally adds castable_to_type(), similar to __same_type(), but for
checking if a constant value would overflow if cast to a given type.
Add unit tests for overflows_type(), __same_type(), and castable_to_type()
to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
Cc: Luc Van Oostenryck <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Tom Rix <[email protected]>
Cc: Daniel Latypov <[email protected]>
Cc: Vitor Massaru Iha <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: Jani Nikula <[email protected]>
Cc: Mauro Carvalho Chehab <[email protected]>
Cc: [email protected]
Cc: [email protected]
Co-developed-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Gwan-gyeong Mun <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
v5: drop the cc-disable-warning and just disable the warning directly (Nathan)
v4:
- move version v2 changelog commit message to under the --- marker (Mauro)
- remove the #pragma addition in the code and modify the Makefile to handle the
same feature (Jani)
v3:
- chagne to use uintptr_t type when checking for overflow of pointer type
variable
v2:
- fix comment typo
- wrap clang pragma to avoid GCC warnings
- style nit cleanups
- rename __castable_to_type() to castable_to_type()
- remove prior overflows_type() definition
v1: https://lore.kernel.org/lkml/[email protected]
---
drivers/gpu/drm/i915/i915_user_extensions.c | 2 +-
drivers/gpu/drm/i915/i915_utils.h | 4 -
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 +++
lib/Makefile | 4 +
lib/overflow_kunit.c | 383 +++++++++++++++++++-
6 files changed, 436 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_user_extensions.c b/drivers/gpu/drm/i915/i915_user_extensions.c
index c822d0aafd2d..e3f808372c47 100644
--- a/drivers/gpu/drm/i915/i915_user_extensions.c
+++ b/drivers/gpu/drm/i915/i915_user_extensions.c
@@ -51,7 +51,7 @@ int i915_user_extensions(struct i915_user_extension __user *ext,
return err;
if (get_user(next, &ext->next_extension) ||
- overflows_type(next, ext))
+ overflows_type(next, uintptr_t))
return -EFAULT;
ext = u64_to_user_ptr(next);
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
index 6c14d13364bf..67a66d4d5c70 100644
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -111,10 +111,6 @@ bool i915_error_injected(void);
#define range_overflows_end_t(type, start, size, max) \
range_overflows_end((type)(start), (type)(size), (type)(max))
-/* Note we don't consider signbits :| */
-#define overflows_type(x, T) \
- (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
-
#define ptr_mask_bits(ptr, n) ({ \
unsigned long __v = (unsigned long)(ptr); \
(typeof(ptr))(__v & -BIT(n)); \
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 973a1bfd7ef5..947a60b801db 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -236,6 +236,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..58eb34aa2af9 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
(*_d >> _to_shift) != _a); \
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0 \
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0)
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0; \
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a constant expression, this will also resolve to a constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
+/**
+ * castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: variable or data type
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true. Otherwise, this falls
+ * back to __same_type().
+ */
+#define castable_to_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n), \
+ !__overflows_type_constexpr(n, T), \
+ __same_type(n, T))
+
/**
* size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
*
diff --git a/lib/Makefile b/lib/Makefile
index 161d6a724ff7..583daefe4ac1 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
+# We're expecting to do a lot of "always true" or "always false" tests.
+ifdef CONFIG_CC_IS_CLANG
+CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
+endif
obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index 5369634701fa..edd3baf1fe6f 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -246,7 +246,7 @@ DEFINE_TEST_ARRAY(s64) = {
#define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
-{ \
+{ \
check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
@@ -708,6 +708,384 @@ static void overflow_size_helpers_test(struct kunit *test)
#undef check_one_size_helper
}
+static void overflows_type_test(struct kunit *test)
+{
+ int count = 0;
+ unsigned int var;
+
+#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
+ bool __of = func(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __of, of, \
+ "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
+ of ? "" : " not"); \
+ count++; \
+} while (0)
+
+/* Args are: first type, second type, value, overflow expected */
+#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
+ __t1 t1 = (v); \
+ __t2 t2; \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
+ __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
+} while (0)
+
+ TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
+ TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
+ TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
+ TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
+ TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
+#endif
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
+ TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
+#if BITS_PER_LONG == 64
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
+ TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
+ TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
+ TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
+ TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
+#endif
+
+ /* Check for macro side-effects. */
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
+ var = INT_MAX - 1;
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
+ __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
+
+ kunit_info(test, "%d overflows_type() tests finished\n", count);
+#undef TEST_OVERFLOWS_TYPE
+#undef __TEST_OVERFLOWS_TYPE
+}
+
+static void same_type_test(struct kunit *test)
+{
+ int count = 0;
+ int var;
+
+#define TEST_SAME_TYPE(t1, t2, same) do { \
+ typeof(t1) __t1h = type_max(t1); \
+ typeof(t1) __t1l = type_min(t1); \
+ typeof(t2) __t2h = type_max(t2); \
+ typeof(t2) __t2l = type_min(t2); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
+ KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
+ KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
+} while (0)
+
+#if BITS_PER_LONG == 64
+# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
+#else
+# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
+#endif
+
+#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
+do { \
+ TEST_SAME_TYPE(base, u8, mu8); \
+ TEST_SAME_TYPE(base, u16, mu16); \
+ TEST_SAME_TYPE(base, u32, mu32); \
+ TEST_SAME_TYPE(base, s8, ms8); \
+ TEST_SAME_TYPE(base, s16, ms16); \
+ TEST_SAME_TYPE(base, s32, ms32); \
+ TEST_SAME_TYPE64(base, u64, mu64); \
+ TEST_SAME_TYPE64(base, s64, ms64); \
+} while (0)
+
+ TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
+ TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
+ TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
+ TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
+ TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
+#if BITS_PER_LONG == 64
+ TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
+ TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
+#endif
+
+ /* Check for macro side-effects. */
+ var = 4;
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+ KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
+ KUNIT_EXPECT_EQ(test, var, 4);
+
+ kunit_info(test, "%d __same_type() tests finished\n", count);
+
+#undef TEST_TYPE_SETS
+#undef TEST_SAME_TYPE64
+#undef TEST_SAME_TYPE
+}
+
+static void castable_to_type_test(struct kunit *test)
+{
+ int count = 0;
+
+#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
+ bool __pass = castable_to_type(arg1, arg2); \
+ KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
+ "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
+ pass ? "" : " not"); \
+ count++; \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE(16, u8, true);
+ TEST_CASTABLE_TO_TYPE(16, u16, true);
+ TEST_CASTABLE_TO_TYPE(16, u32, true);
+ TEST_CASTABLE_TO_TYPE(16, s8, true);
+ TEST_CASTABLE_TO_TYPE(16, s16, true);
+ TEST_CASTABLE_TO_TYPE(16, s32, true);
+ TEST_CASTABLE_TO_TYPE(-16, s8, true);
+ TEST_CASTABLE_TO_TYPE(-16, s16, true);
+ TEST_CASTABLE_TO_TYPE(-16, s32, true);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE(16, u64, true);
+ TEST_CASTABLE_TO_TYPE(-16, s64, true);
+#endif
+
+#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expressions that fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
+ /* Constant expressions that do not fit types. */ \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
+} while (0)
+
+#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
+ unsigned long big = U ## width ## _MAX; \
+ signed long small = S ## width ## _MIN; \
+ u ## width u ## width ## var = 0; \
+ s ## width s ## width ## var = 0; \
+ \
+ /* Constant expression in range. */ \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
+ TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
+ TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
+ /* Constant expression out of range. */ \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
+ /* Non-constant expression with mismatched type. */ \
+ TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
+ TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
+ TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
+} while (0)
+
+ TEST_CASTABLE_TO_TYPE_VAR(8);
+ TEST_CASTABLE_TO_TYPE_VAR(16);
+ TEST_CASTABLE_TO_TYPE_VAR(32);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_VAR(64);
+#endif
+
+ TEST_CASTABLE_TO_TYPE_RANGE(8);
+ TEST_CASTABLE_TO_TYPE_RANGE(16);
+#if BITS_PER_LONG == 64
+ TEST_CASTABLE_TO_TYPE_RANGE(32);
+#endif
+ kunit_info(test, "%d castable_to_type() tests finished\n", count);
+
+#undef TEST_CASTABLE_TO_TYPE_RANGE
+#undef TEST_CASTABLE_TO_TYPE_VAR
+#undef TEST_CASTABLE_TO_TYPE
+}
+
static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(u8_u8__u8_overflow_test),
KUNIT_CASE(s8_s8__s8_overflow_test),
@@ -730,6 +1108,9 @@ static struct kunit_case overflow_test_cases[] = {
KUNIT_CASE(shift_nonsense_test),
KUNIT_CASE(overflow_allocation_test),
KUNIT_CASE(overflow_size_helpers_test),
+ KUNIT_CASE(overflows_type_test),
+ KUNIT_CASE(same_type_test),
+ KUNIT_CASE(castable_to_type_test),
{}
};
--
2.37.1
Hi Kees,
I've updated to v5 with the last comment of Nathan.
Could you please kindly review what more is needed as we move forward
with this patch?
Br,
G.G.
On 10/24/22 11:11 PM, Gwan-gyeong Mun wrote:
> From: Kees Cook <[email protected]>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <[email protected]>
> Cc: Nathan Chancellor <[email protected]>
> Cc: Nick Desaulniers <[email protected]>
> Cc: Tom Rix <[email protected]>
> Cc: Daniel Latypov <[email protected]>
> Cc: Vitor Massaru Iha <[email protected]>
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: Jani Nikula <[email protected]>
> Cc: Mauro Carvalho Chehab <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Co-developed-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Gwan-gyeong Mun <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v5: drop the cc-disable-warning and just disable the warning directly (Nathan)
> v4:
> - move version v2 changelog commit message to under the --- marker (Mauro)
> - remove the #pragma addition in the code and modify the Makefile to handle the
> same feature (Jani)
> v3:
> - chagne to use uintptr_t type when checking for overflow of pointer type
> variable
> v2:
> - fix comment typo
> - wrap clang pragma to avoid GCC warnings
> - style nit cleanups
> - rename __castable_to_type() to castable_to_type()
> - remove prior overflows_type() definition
> v1: https://lore.kernel.org/lkml/[email protected]
> ---
> drivers/gpu/drm/i915/i915_user_extensions.c | 2 +-
> drivers/gpu/drm/i915/i915_utils.h | 4 -
> include/linux/compiler.h | 1 +
> include/linux/overflow.h | 48 +++
> lib/Makefile | 4 +
> lib/overflow_kunit.c | 383 +++++++++++++++++++-
> 6 files changed, 436 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_user_extensions.c b/drivers/gpu/drm/i915/i915_user_extensions.c
> index c822d0aafd2d..e3f808372c47 100644
> --- a/drivers/gpu/drm/i915/i915_user_extensions.c
> +++ b/drivers/gpu/drm/i915/i915_user_extensions.c
> @@ -51,7 +51,7 @@ int i915_user_extensions(struct i915_user_extension __user *ext,
> return err;
>
> if (get_user(next, &ext->next_extension) ||
> - overflows_type(next, ext))
> + overflows_type(next, uintptr_t))
> return -EFAULT;
>
> ext = u64_to_user_ptr(next);
> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
> index 6c14d13364bf..67a66d4d5c70 100644
> --- a/drivers/gpu/drm/i915/i915_utils.h
> +++ b/drivers/gpu/drm/i915/i915_utils.h
> @@ -111,10 +111,6 @@ bool i915_error_injected(void);
> #define range_overflows_end_t(type, start, size, max) \
> range_overflows_end((type)(start), (type)(size), (type)(max))
>
> -/* Note we don't consider signbits :| */
> -#define overflows_type(x, T) \
> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
> -
> #define ptr_mask_bits(ptr, n) ({ \
> unsigned long __v = (unsigned long)(ptr); \
> (typeof(ptr))(__v & -BIT(n)); \
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 973a1bfd7ef5..947a60b801db 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -236,6 +236,7 @@ static inline void *offset_to_ptr(const int *off)
> * bool and also pointer types.
> */
> #define is_signed_type(type) (((type)(-1)) < (__force type)1)
> +#define is_unsigned_type(type) (!is_signed_type(type))
>
> /*
> * This is needed in functions which generate the stack canary, see
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 19dfdd74835e..58eb34aa2af9 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> (*_d >> _to_shift) != _a); \
> }))
>
> +#define __overflows_type_constexpr(x, T) ( \
> + is_unsigned_type(typeof(x)) ? \
> + (x) > type_max(typeof(T)) ? 1 : 0 \
> + : is_unsigned_type(typeof(T)) ? \
> + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> + : (x) < type_min(typeof(T)) || \
> + (x) > type_max(typeof(T)) ? 1 : 0)
> +
> +#define __overflows_type(x, T) ({ \
> + typeof(T) v = 0; \
> + check_add_overflow((x), v, &v); \
> +})
> +
> +/**
> + * overflows_type - helper for checking the overflows between value, variables,
> + * or data type
> + *
> + * @n: source constant value or variable to be checked
> + * @T: destination variable or data type proposed to store @x
> + *
> + * Compares the @x expression for whether or not it can safely fit in
> + * the storage of the type in @T. @x and @T can have different types.
> + * If @x is a constant expression, this will also resolve to a constant
> + * expression.
> + *
> + * Returns: true if overflow can occur, false otherwise.
> + */
> +#define overflows_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + __overflows_type_constexpr(n, T), \
> + __overflows_type(n, T))
> +
> +/**
> + * castable_to_type - like __same_type(), but also allows for casted literals
> + *
> + * @n: variable or constant value
> + * @T: variable or data type
> + *
> + * Unlike the __same_type() macro, this allows a constant value as the
> + * first argument. If this value would not overflow into an assignment
> + * of the second argument's type, it returns true. Otherwise, this falls
> + * back to __same_type().
> + */
> +#define castable_to_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + !__overflows_type_constexpr(n, T), \
> + __same_type(n, T))
> +
> /**
> * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
> *
> diff --git a/lib/Makefile b/lib/Makefile
> index 161d6a724ff7..583daefe4ac1 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
> obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
> obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
> obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
> +# We're expecting to do a lot of "always true" or "always false" tests.
> +ifdef CONFIG_CC_IS_CLANG
> +CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
> +endif
> obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
> CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
> obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index 5369634701fa..edd3baf1fe6f 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -246,7 +246,7 @@ DEFINE_TEST_ARRAY(s64) = {
>
> #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
> static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
> -{ \
> +{ \
> check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
> check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
> check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
> @@ -708,6 +708,384 @@ static void overflow_size_helpers_test(struct kunit *test)
> #undef check_one_size_helper
> }
>
> +static void overflows_type_test(struct kunit *test)
> +{
> + int count = 0;
> + unsigned int var;
> +
> +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \
> + bool __of = func(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __of, of, \
> + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\
> + of ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> +/* Args are: first type, second type, value, overflow expected */
> +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \
> + __t1 t1 = (v); \
> + __t2 t2; \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \
> + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\
> +} while (0)
> +
> + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true);
> + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true);
> + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true);
> + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true);
> + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true);
> +#endif
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true);
> + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false);
> +#if BITS_PER_LONG == 64
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true);
> + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true);
> + TEST_OVERFLOWS_TYPE(s64, u64, -1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true);
> + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false);
> + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true);
> + var = INT_MAX - 1;
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false);
> + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true);
> +
> + kunit_info(test, "%d overflows_type() tests finished\n", count);
> +#undef TEST_OVERFLOWS_TYPE
> +#undef __TEST_OVERFLOWS_TYPE
> +}
> +
> +static void same_type_test(struct kunit *test)
> +{
> + int count = 0;
> + int var;
> +
> +#define TEST_SAME_TYPE(t1, t2, same) do { \
> + typeof(t1) __t1h = type_max(t1); \
> + typeof(t1) __t1l = type_min(t1); \
> + typeof(t2) __t2h = type_max(t2); \
> + typeof(t2) __t2l = type_min(t2); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \
> + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \
> + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \
> +} while (0)
> +
> +#if BITS_PER_LONG == 64
> +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m)
> +#else
> +# define TEST_SAME_TYPE64(base, t, m) do { } while (0)
> +#endif
> +
> +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \
> +do { \
> + TEST_SAME_TYPE(base, u8, mu8); \
> + TEST_SAME_TYPE(base, u16, mu16); \
> + TEST_SAME_TYPE(base, u32, mu32); \
> + TEST_SAME_TYPE(base, s8, ms8); \
> + TEST_SAME_TYPE(base, s16, ms16); \
> + TEST_SAME_TYPE(base, s32, ms32); \
> + TEST_SAME_TYPE64(base, u64, mu64); \
> + TEST_SAME_TYPE64(base, s64, ms64); \
> +} while (0)
> +
> + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false);
> + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false);
> + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false);
> + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false);
> + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false);
> +#if BITS_PER_LONG == 64
> + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false);
> + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true);
> +#endif
> +
> + /* Check for macro side-effects. */
> + var = 4;
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, int));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(int, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++));
> + KUNIT_EXPECT_EQ(test, var, 4);
> +
> + kunit_info(test, "%d __same_type() tests finished\n", count);
> +
> +#undef TEST_TYPE_SETS
> +#undef TEST_SAME_TYPE64
> +#undef TEST_SAME_TYPE
> +}
> +
> +static void castable_to_type_test(struct kunit *test)
> +{
> + int count = 0;
> +
> +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \
> + bool __pass = castable_to_type(arg1, arg2); \
> + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \
> + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\
> + pass ? "" : " not"); \
> + count++; \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE(16, u8, true);
> + TEST_CASTABLE_TO_TYPE(16, u16, true);
> + TEST_CASTABLE_TO_TYPE(16, u32, true);
> + TEST_CASTABLE_TO_TYPE(16, s8, true);
> + TEST_CASTABLE_TO_TYPE(16, s16, true);
> + TEST_CASTABLE_TO_TYPE(16, s32, true);
> + TEST_CASTABLE_TO_TYPE(-16, s8, true);
> + TEST_CASTABLE_TO_TYPE(-16, s16, true);
> + TEST_CASTABLE_TO_TYPE(-16, s32, true);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE(16, u64, true);
> + TEST_CASTABLE_TO_TYPE(-16, s64, true);
> +#endif
> +
> +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expressions that fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \
> + /* Constant expressions that do not fit types. */ \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \
> +} while (0)
> +
> +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \
> + unsigned long big = U ## width ## _MAX; \
> + signed long small = S ## width ## _MIN; \
> + u ## width u ## width ## var = 0; \
> + s ## width s ## width ## var = 0; \
> + \
> + /* Constant expression in range. */ \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \
> + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \
> + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \
> + /* Constant expression out of range. */ \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \
> + /* Non-constant expression with mismatched type. */ \
> + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \
> + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \
> + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \
> +} while (0)
> +
> + TEST_CASTABLE_TO_TYPE_VAR(8);
> + TEST_CASTABLE_TO_TYPE_VAR(16);
> + TEST_CASTABLE_TO_TYPE_VAR(32);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_VAR(64);
> +#endif
> +
> + TEST_CASTABLE_TO_TYPE_RANGE(8);
> + TEST_CASTABLE_TO_TYPE_RANGE(16);
> +#if BITS_PER_LONG == 64
> + TEST_CASTABLE_TO_TYPE_RANGE(32);
> +#endif
> + kunit_info(test, "%d castable_to_type() tests finished\n", count);
> +
> +#undef TEST_CASTABLE_TO_TYPE_RANGE
> +#undef TEST_CASTABLE_TO_TYPE_VAR
> +#undef TEST_CASTABLE_TO_TYPE
> +}
> +
> static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(u8_u8__u8_overflow_test),
> KUNIT_CASE(s8_s8__s8_overflow_test),
> @@ -730,6 +1108,9 @@ static struct kunit_case overflow_test_cases[] = {
> KUNIT_CASE(shift_nonsense_test),
> KUNIT_CASE(overflow_allocation_test),
> KUNIT_CASE(overflow_size_helpers_test),
> + KUNIT_CASE(overflows_type_test),
> + KUNIT_CASE(same_type_test),
> + KUNIT_CASE(castable_to_type_test),
> {}
> };
>
On Sat, Oct 29, 2022 at 08:55:43AM +0300, Gwan-gyeong Mun wrote:
> Hi Kees,
Hi! :)
> I've updated to v5 with the last comment of Nathan.
> Could you please kindly review what more is needed as we move forward with
> this patch?
It looks fine to me -- I assume it'll go via the drm tree? Would you
rather I carry the non-drm changes in my tree instead?
>
--
Kees Cook
On 10/29/22 10:32 AM, Kees Cook wrote:
> On Sat, Oct 29, 2022 at 08:55:43AM +0300, Gwan-gyeong Mun wrote:
>> Hi Kees,
>
> Hi! :)
>
>> I've updated to v5 with the last comment of Nathan.
>> Could you please kindly review what more is needed as we move forward with
>> this patch?
>
> It looks fine to me -- I assume it'll go via the drm tree? Would you
> rather I carry the non-drm changes in my tree instead?
>
Hi!
Yes, I think it would be better to run this patch on your tree.
this patch moves the macro of i915 to overflows.h and modifies one part
of drm's driver code, but I think this part can be easily applied when
merging into the drm tree.
Many thanks,
G.G.
>>
On Sat, Oct 29, 2022 at 11:01:38AM +0300, Gwan-gyeong Mun wrote:
>
>
> On 10/29/22 10:32 AM, Kees Cook wrote:
> > On Sat, Oct 29, 2022 at 08:55:43AM +0300, Gwan-gyeong Mun wrote:
> > > Hi Kees,
> >
> > Hi! :)
> >
> > > I've updated to v5 with the last comment of Nathan.
> > > Could you please kindly review what more is needed as we move forward with
> > > this patch?
> >
> > It looks fine to me -- I assume it'll go via the drm tree? Would you
> > rather I carry the non-drm changes in my tree instead?
> >
> Hi!
> Yes, I think it would be better to run this patch on your tree.
> this patch moves the macro of i915 to overflows.h and modifies one part of
> drm's driver code, but I think this part can be easily applied when merging
> into the drm tree.
I've rebased it to the hardening tree, and it should appear in -next
shortly:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/hardening&id=5904fcb776d0b518be96bca43f258db90f26ba9a
--
Kees Cook
On 11/2/22 1:06 AM, Kees Cook wrote:
> On Sat, Oct 29, 2022 at 11:01:38AM +0300, Gwan-gyeong Mun wrote:
>>
>>
>> On 10/29/22 10:32 AM, Kees Cook wrote:
>>> On Sat, Oct 29, 2022 at 08:55:43AM +0300, Gwan-gyeong Mun wrote:
>>>> Hi Kees,
>>>
>>> Hi! :)
>>>
>>>> I've updated to v5 with the last comment of Nathan.
>>>> Could you please kindly review what more is needed as we move forward with
>>>> this patch?
>>>
>>> It looks fine to me -- I assume it'll go via the drm tree? Would you
>>> rather I carry the non-drm changes in my tree instead?
>>>
>> Hi!
>> Yes, I think it would be better to run this patch on your tree.
>> this patch moves the macro of i915 to overflows.h and modifies one part of
>> drm's driver code, but I think this part can be easily applied when merging
>> into the drm tree.
>
> I've rebased it to the hardening tree, and it should appear in -next
> shortly:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/hardening&id=5904fcb776d0b518be96bca43f258db90f26ba9a
>
Thanks for making this patch go forward.
G.G.
On 24/10/2022 22.11, Gwan-gyeong Mun wrote:
> From: Kees Cook <[email protected]>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> +#define __overflows_type_constexpr(x, T) ( \
> + is_unsigned_type(typeof(x)) ? \
> + (x) > type_max(typeof(T)) ? 1 : 0 \
> + : is_unsigned_type(typeof(T)) ? \
> + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> + : (x) < type_min(typeof(T)) || \
> + (x) > type_max(typeof(T)) ? 1 : 0)
> +
Can't all these instances of "foo ? 1 : 0" be simplified to "foo"? That
would improve the readability of this thing somewhat IMO.
Rasmus
On Wed, Nov 02, 2022 at 12:52:32PM +0100, Rasmus Villemoes wrote:
> On 24/10/2022 22.11, Gwan-gyeong Mun wrote:
> > From: Kees Cook <[email protected]>
> >
> > Implement a robust overflows_type() macro to test if a variable or
> > constant value would overflow another variable or type. This can be
> > used as a constant expression for static_assert() (which requires a
> > constant expression[1][2]) when used on constant values. This must be
> > constructed manually, since __builtin_add_overflow() does not produce
> > a constant expression[3].
> >
> > Additionally adds castable_to_type(), similar to __same_type(), but for
> > checking if a constant value would overflow if cast to a given type.
> >
>
> > +#define __overflows_type_constexpr(x, T) ( \
> > + is_unsigned_type(typeof(x)) ? \
> > + (x) > type_max(typeof(T)) ? 1 : 0 \
> > + : is_unsigned_type(typeof(T)) ? \
> > + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> > + : (x) < type_min(typeof(T)) || \
> > + (x) > type_max(typeof(T)) ? 1 : 0)
> > +
>
> Can't all these instances of "foo ? 1 : 0" be simplified to "foo"? That
> would improve the readability of this thing somewhat IMO.
Oh, good point. :P I'll fix these.
--
Kees Cook