Received: by 10.213.65.68 with SMTP id h4csp1142951imn; Sun, 18 Mar 2018 16:39:43 -0700 (PDT) X-Google-Smtp-Source: AG47ELsK9mHe3KkB4C+wH+P9dtUiGIQGzjyqwyft0bg/s2floiURLU6KI7HtzQphbEgGz8cO8awZ X-Received: by 10.101.74.135 with SMTP id b7mr7599292pgu.260.1521416382985; Sun, 18 Mar 2018 16:39:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521416382; cv=none; d=google.com; s=arc-20160816; b=wq4E/GgVzpSeNed4opqOJKcy4H9H7idXzPXyKUqUOp3AzmRwkgSh7BoI4aJwWajGQv CBflANkw2cX9zlOJTjitNmyj0zxKsokQV3O7W0/G45cjfTQfLJ8RLR5P1XvV2tyJmmfY QO7dixt4/Kbc9Unl9S86qwwVHL9S/P1FqFKTteFLhtcyEqf6hPLbCdJYTescHYi9ebdt B5ioE6GaZ3F3rkTZcYl7zBwHQVkbwVoufZWbQf3G8mzwMSQcaUzOdGZvX/iwSofwzrYx q1UMG/8243bMeT28Kkxrvr1xgU9YQTB7zWDLBjr51UyI09ACvUuJfBSh0bAx/bLBFOoa MYmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=xMfObH6kvqBornuqqgH3WB9THwyft1+NriJ3DeIluog=; b=aFEoFzjMTvlXeSCP8KyBJpIqE41wmtC45Lag9cor6KorqKcjO/COhaedcAe37hHNT/ GeWo+ob8a83NLZLtdJmintF/SiI/YW09gmumc3aVK8TrwGis3+4p7MznGz5e/redGW6Y azCmTQVB0yRrGExpiTVTw/HDFDu+Y0pbFVYgvjTbGS1nc6Lt/vpHKPLlP5pFE9yc0QZD +CjxAvD/PuYbzHWXmLduqTIQq+3VbhSAc6V/WeT8nRIvoVpvv//8z3MPCt0CeaWN1z1v 5M6RiRP2b7BqBs8h1nQqtQP9dcqJRVm79Cs5olXb5lvEwVzsbflfWBqmo/s90YpVforJ 9d4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=ACecg4ps; dkim=fail header.i=@linux-foundation.org header.s=google header.b=h4Iubc94; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t12si3479624pgp.498.2018.03.18.16.38.53; Sun, 18 Mar 2018 16:39:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=ACecg4ps; dkim=fail header.i=@linux-foundation.org header.s=google header.b=h4Iubc94; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754583AbeCRXgU (ORCPT + 99 others); Sun, 18 Mar 2018 19:36:20 -0400 Received: from mail-io0-f178.google.com ([209.85.223.178]:45130 "EHLO mail-io0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754230AbeCRXgP (ORCPT ); Sun, 18 Mar 2018 19:36:15 -0400 Received: by mail-io0-f178.google.com with SMTP id m22so18583642iob.12; Sun, 18 Mar 2018 16:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xMfObH6kvqBornuqqgH3WB9THwyft1+NriJ3DeIluog=; b=ACecg4psshl5phDj6FXc2OGtFDqDYD0x7SOyzut13B9pMZq6Y3QwAxGgAOcDODAgEp gHmQke8F9TrRJ831AG5XByAoweonlQ/BhJtj37zGMtKChyEWcEyK3aiuOymVnPZct0Wr 0JieVB2qsIlBO7RQ4ugDZcm67LsM2MDwOXnDtABl4V48tNUA9P2Q8BKUkJpJnmnMSTGy KuPLTAzSvhFHRMRX2DnDX1pjDy99N6Uli+X49fg3HGcP6kBdmGOOPKf+9b1sOMoicUyC dhntzs496lKB/0fBuZtJuYlZwPmMN0YWOqOpxWX4co8JnpCVmujVpk4QtcdE1fkw2tiB rmSg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xMfObH6kvqBornuqqgH3WB9THwyft1+NriJ3DeIluog=; b=h4Iubc94ccjvoEQ5yNeE+LYxyr6FyTmSqZgnTNQPTXZ1GyowBNmORIaxOlEmZjoBkM Xbh4GbhD6+DJC5xyEEy2byFHRKMBAl7ZPt/oF9gRs6NuRypKpx86EsARve1+qkCZsU86 wfcbfYQF6gd3e3VO6i8CzkTJm9WkWCIgwyZyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xMfObH6kvqBornuqqgH3WB9THwyft1+NriJ3DeIluog=; b=tjclcI2Xj8lNF/RRy0CFZn+Pe5vThkUFD/bY6QNUUw3jJAzgU5CCX9HIweRu7VZ1QR 4yoUBLlxuEJaL/uI4DpAOTuLVBv6U3XLTmnZXmn7oRgz68srM5u/nxdXIhU4w+bpJpMI PwDdZyANTgXPSG6LxDXHN22pKNv9iqybCF112iYhoKogHCs07yKswoP1Ti4XkC9M1yCq m4xk06lV18yvS+I3S4cQilYTsHdJKa+qj43TMmsC1FaWwydlu3la7xdlgTn/eP3meu9i tYH2RA38vwEKS31OLMJMo/1Jk61MZnxn7LPChZF/7Ky7ceu/lPN9J1ssiLmqi+blv4Sp dClw== X-Gm-Message-State: AElRT7GaInzXNLQwjqQ+OpZrwW9oEbCJXddK8Zi5oDDqLaDH72nIO/+O 89Ph+yhkEW3vl247taQYAvUX+3GdR+1XwzA00/w= X-Received: by 10.107.22.1 with SMTP id 1mr10298602iow.238.1521416174243; Sun, 18 Mar 2018 16:36:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Sun, 18 Mar 2018 16:36:13 -0700 (PDT) In-Reply-To: <38b6da49-1138-017e-7307-f39ff067d6d2@rasmusvillemoes.dk> References: <1521174359-46392-1-git-send-email-keescook@chromium.org> <20180316175502.GE30522@ZenIV.linux.org.uk> <42b4342b-aefc-a16a-0d43-9f9c0d63ba7a@rasmusvillemoes.dk> <38b6da49-1138-017e-7307-f39ff067d6d2@rasmusvillemoes.dk> From: Linus Torvalds Date: Sun, 18 Mar 2018 16:36:13 -0700 X-Google-Sender-Auth: WrBXlyLoOgHyL-34FBnr7MB5Dqg Message-ID: Subject: Re: [PATCH v5 0/2] Remove false-positive VLAs when using max() To: Rasmus Villemoes Cc: Kees Cook , Al Viro , Florian Weimer , Andrew Morton , Josh Poimboeuf , Randy Dunlap , Miguel Ojeda , Ingo Molnar , David Laight , Ian Abbott , linux-input , linux-btrfs , Network Development , Linux Kernel Mailing List , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 18, 2018 at 3:59 PM, Rasmus Villemoes wrote: > > OK, I missed where this was made about side effects of x and y We never made it explicit, since all we really cared about in the end is the constantness. But yes: > but I suppose the idea was to use > > no_side_effects(x) && no_side_effects(y) ? trivial_max(x, y) : > old_max(x, y) Exactly. Except with __builtin_choose_expr(), because we need the end result to be seen as a integer constant expression, so that we can then use it as an array size. So it needs that early parse-time resolution. >> We only really use __builtin_constant_p() as a (bad) approximation of >> that in this case, since it's the best we can do. > > I don't think you should parenthesize bad, rather capitalize it. ({x++; > 0;}) is constant in the eyes of __builtin_constant_p, but not > side-effect free. Hmm. Yeah, but probably don't much care for the kernel. For example, we do things like this: #define __swab64(x) \ (__builtin_constant_p((__u64)(x)) ? \ ___constant_swab64(x) : \ __fswab64(x)) where that "___constant_swab64()" very much uses the same argument over and over. And we do that for related reasons - we really want to do the constant folding at build time for some cases, and this was the only sane way to do it. Eg code like return (addr & htonl(0xff000000)) == htonl(0x7f000000); wants to do the right thing, and long ago gcc didn't have builtins for byte swapping, so we had to just do nasty horribly macros that DTRT for constants. But since the kernel is standalone, we don't need to really worry about the *generic* case, we just need to worry about our own macros, and if somebody does that example you show I guess we'll just have to shun them ;) Of course, our own macros are often macros from hell, exactly because they often contain a lot of type-checking and/or type-(size)-based polymorphism. But then we actually *want* gcc to simplify things, and avoid side effects, just have potentially very complex expressions. But we basically never have that kind of intentionally evil macros, so we are willing to live with a bad substitute. But yes, it would be better to have some more control over things, and actually have a way to say "if X is a constant integer expression, do transformation Y, otherwise call function y()". Actually sparse started out with the idea in the background that it could become not just a checker, but a "transformation tool". Partly because of long gone historical issues (ie gcc people used to be very anti-plugin due to licensing issues). Of course, a more integrated and powerful preprocessor language is almost always what we *really* wanted, but traditionally "powerful preprocessor" has always meant "completely incomprehensible and badly integrated preprocessor". "cpp" may be a horrid language, but it's there and it's fast (when integrated with the front-end, like everybody does now) But sadly, cpp is really bad for the above kind of "if argument is constant" kind of tricks. I suspect we'd use it a lot otherwise. >> So the real use would be to say "can we use the simple direct macro >> that just happens to also fold into a nice integer constant >> expression" for __builtin_choose_expr(). >> >> I tried to find something like that, but it really doesn't exist, even >> though I would actually have expected it to be a somewhat common >> concern for macro writers: write a macro that works in any arbitrary >> environment. > > Yeah, I think the closest is a five year old suggestion > (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57612) to add a > __builtin_assert_no_side_effects, that could be used in macros that for > some reason cannot be implemented without evaluating some argument > multiple times. It would be more useful to have the predicate version, > which one could always turn into a build bug version. But we have > neither, unfortunately. Yeah, and since we're in the situation that *new* gcc versions work for us anyway, and we only have issues with older gcc's (that sadly people still use), even if there was a new cool feature we couldn't use it. Oh well. Thanks for the background. Linus