Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932508AbdCIOpP convert rfc822-to-8bit (ORCPT ); Thu, 9 Mar 2017 09:45:15 -0500 Received: from unicorn.mansr.com ([81.2.72.234]:45594 "EHLO unicorn.mansr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932290AbdCIOpN (ORCPT ); Thu, 9 Mar 2017 09:45:13 -0500 From: =?iso-8859-1?Q?M=E5ns_Rullg=E5rd?= To: Tomas Winkler Cc: Henrique de Moraes Holschuh , "linux-kernel\@vger.kernel.org" , linux-sparse@vger.kernel.org, Herbert Xu , Al Viro Subject: Re: Arrays of variable length References: <20170305211254.GA3220@khazad-dum.debian.net> Date: Thu, 09 Mar 2017 14:38:07 +0000 In-Reply-To: (Tomas Winkler's message of "Thu, 9 Mar 2017 16:29:18 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3086 Lines: 71 Tomas Winkler writes: > On Thu, Mar 9, 2017 at 4:26 PM, M?ns Rullg?rd wrote: >> Tomas Winkler writes: >> >>> On Thu, Mar 9, 2017 at 4:16 PM, M?ns Rullg?rd wrote: >>>> Tomas Winkler writes: >>>> >>>>> On Thu, Mar 9, 2017 at 3:02 PM, M?ns Rullg?rd wrote: >>>>>> Tomas Winkler writes: >>>>>> >>>>>>> On Mon, Mar 6, 2017 at 2:31 AM, M?ns Rullg?rd wrote: >>>>>>>> Henrique de Moraes Holschuh writes: >>>>>>>> >>>>>>>>> On Sun, 05 Mar 2017, M?ns Rullg?rd wrote: >>>>>>>>>> Tomas Winkler writes: >>>>>>>>>> > Sparse complains for arrays declared with variable length >>>>>>>>>> > >>>>>>>>>> > 'warning: Variable length array is used' >>>>>>>>>> > >>>>>>>>>> > Prior to c99 this was not allowed but lgcc (c99) doesn't have problem >>>>>>>>>> > with that https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html. >>>>>>>>>> > And also Linux kernel compilation with W=1 doesn't complain. >>>>>>>>>> > >>>>>>>>>> > Since sparse is used extensively would like to ask what is the correct >>>>>>>>>> > usage of arrays of variable length >>>>>>>>>> > within Linux Kernel. >>>>>>>>>> >>>>>>>>>> Variable-length arrays are a very bad idea. Don't use them, ever. >>>>>>>>>> If the size has a sane upper bound, just use that value statically. >>>>>>>>>> Otherwise, you have a stack overflow waiting to happen and should be >>>>>>>>>> using some kind of dynamic allocation instead. >>>>>>>>>> >>>>>>>>>> Furthermore, use of VLAs generally results in less efficient code. For >>>>>>>>>> instance, it forces gcc to waste a register for the frame pointer, and >>>>>>>>>> it often prevents inlining. >>>>>>>>> >>>>>>>>> Well, if we're going to forbid VLAs in the kernel, IMHO the kernel build >>>>>>>>> system should call gcc with -Werror=vla to get that point across early, >>>>>>>>> and flush out any offenders. >>>>>>>> >>>>>>>> If it were up to me, that's exactly what I'd do. >>>>>>> >>>>>>>> >>>>>>> Some parts of the kernel depends on VLA such as ___ON_STACK macros in >>>>>>> include/crypto/hash.h >>>>>>> It's actually pretty neat implementation, maybe it's too harsh to >>>>>>> disable VLA completely. >>>>>> >>>>>> And what happens if the requested size is insane? >>>>> >>>>> One option is to add '-Wvla-larger-than=n' >>>> >>>> If you know the upper bound, why use VLAs in the first place? >>> >>> This is a water mark and not actual usage, but maybe I didn't >>> understand your comment. >> >> If there is an upper bound known at compile time, why not simply use >> that size statically? If there is no upper bound, well, then you have a >> problem. > > If the compiler can do the job, why not to use this flexibility ? Because, as I already said, there are security implications if the size is unbounded, and even with safely bounded size, using VLAs interferes with compiler optimisations. Ensuring VLAs are used safely is usually more work than simply avoiding them in the first place. -- M?ns Rullg?rd