Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp14707479ybl; Mon, 30 Dec 2019 15:40:28 -0800 (PST) X-Google-Smtp-Source: APXvYqy7T4IE4Zi5ub/PJTqKh2g+4zw8UNzQ+2TwMh80XRd3dqjDBpg4U7R87Gvr4m660aNpwvP+ X-Received: by 2002:a05:6830:10d7:: with SMTP id z23mr76096792oto.114.1577749228194; Mon, 30 Dec 2019 15:40:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577749228; cv=none; d=google.com; s=arc-20160816; b=qn0cyj/aikb2CZ89nCkLU0AgRekgsqBbkAKogkr3ld97JjpMHPVIU5Bj+z8W3aR/uk XqhidtLvI4hoWmuRvjdv1TqFtW8ppGK2prgFf7oyW+KJ5RCVdS1aeAwe3Gj3j2YXnPqX rX6ge1dlzNUSqCm+dm6JdgXitfL8vRlVogmuVKF4IDqjd4cWFTPhIAAxRHIJegR+1h3k OQX94dn6UjFYStZxfXfi/h+FjB61U97UFrtj3rd2rb1wMaP5NK2N+2SuSS6gHGHc1sHJ owlcGPK57dd1HS43tt3SCeKjFn+uHQT9Sv1Fi3CIf8EOzMp9ddbZiglg8m2OCMjPZgzm i6rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=UV18QxzNw74OQEVccoyAS4yfxDD5XxdtiGTMxWiHN98=; b=OazBXraEfJoD3YPIjA3UgufvpntxeTYsb0P0qwtW2j/mdOHH4uuA77j4io7xdK/M8H I5TTrygTw92uGHnmn0d+EmztAfEHMrqnkVYRl2qf8IqJfKHmXPN5X2W6LTYia1uehZG0 6KBGEqWaoGpLvW3r+fQ7obD6puK/jds577OCJQjHtj4TmyuO2L31qsBrwg31R/I/Mu0W xC449vJcv8UFy8s2xsAIb/R2eHHqVWX/S+jnzYUK1znhKQwQcApDFWDS/ALLkSA5fw8z m6S3LJPfCw0MgWOEeasx6QyfnJwzTHqa9yz83mht41SCI5SDRUgEYirEATmI4BK4L8un AbFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TyYUCZR+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h14si25490475otn.6.2019.12.30.15.40.13; Mon, 30 Dec 2019 15:40:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TyYUCZR+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727766AbfL3XiT (ORCPT + 99 others); Mon, 30 Dec 2019 18:38:19 -0500 Received: from mail-wr1-f66.google.com ([209.85.221.66]:40235 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727740AbfL3XiS (ORCPT ); Mon, 30 Dec 2019 18:38:18 -0500 Received: by mail-wr1-f66.google.com with SMTP id c14so33972932wrn.7; Mon, 30 Dec 2019 15:38:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=UV18QxzNw74OQEVccoyAS4yfxDD5XxdtiGTMxWiHN98=; b=TyYUCZR+6kQ+HW3M7eGq7s6+mRivf7dpl+FJeiN1yA+jSfyGVT8m/j5965jlyhfsCi f48uEv+M+ppfKoot4NPQyPbZVNtoJbTE2o2uu+Q0GucOYnkWcDiiFhEfsgWhd4i6ApQa xm4Yo8tExN/cOp5J8mopXd2TxItbzEeGPRFqUzL6Gd3xOLxS/52pXDEZx97pWQPL+nTU 1dLDGJbuRXIxtm6PqBKmqNkQeg4CxWpXJPXk7BpD3C1tIgM4c5TOKi0ha6a32EqmbWYj i72x32SE7N7dYTraesZiixd2SFlCV1h/+2SQPPjusC1GVS6qMVqlEOClyVQv9AdBF/My 30Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=UV18QxzNw74OQEVccoyAS4yfxDD5XxdtiGTMxWiHN98=; b=LpR82ZNPFHq5lq5Vc4Rzxik0JpS4RUGid/LAaE9biMPNEWSrx6iy5G9aS3LG0sYs7Y O8JG+RTnDEQ3X2zgp8lOgtfzWvfAEZI3l5Qnmi8kGNbESxDU17uDZLlXEmHml8KGOpJb 0t5mMCHj80FfTx3cOLI/pcKkMyuSHGAyzhVkNrOXHWEjGpqI9HJnA+YTQ4JersRYcOzp 62d/nebfr0bfCSYo7PSZGd9V/rmnN/0ZdhjbMBN9eGcF0FAqWiP+pEb1bgNs/anHpr/x M5gT4Rc+FDjiJh8SPO139TrhT8XcstmPLprqVYYJ33WugNKiO4PH8qNeucS0XRT4CgqR DS2w== X-Gm-Message-State: APjAAAXpgnJkOgBoAIF1BGo8Baa4Mrp45j4N7ra0pxgT6vuoS3sz5NBM aDP+E9FAZF2T8yKsfxIRRcaCWcR7 X-Received: by 2002:adf:ec4c:: with SMTP id w12mr1944547wrn.124.1577749096183; Mon, 30 Dec 2019 15:38:16 -0800 (PST) Received: from ltop.local ([2a02:a03f:40c7:f800:7c46:7fac:a1c:a5b2]) by smtp.gmail.com with ESMTPSA id g21sm888287wmh.17.2019.12.30.15.38.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Dec 2019 15:38:15 -0800 (PST) Date: Tue, 31 Dec 2019 00:38:14 +0100 From: Luc Van Oostenryck To: Kees Cook Cc: Eric Biggers , Peter Zijlstra , linux-kernel@vger.kernel.org, Ingo Molnar , Will Deacon , Elena Reshetova , Thomas Gleixner , Anna-Maria Gleixner , Sebastian Andrzej Siewior , linux-sparse@vger.kernel.org Subject: Re: [PATCH] locking/refcount: add sparse annotations to dec-and-lock functions Message-ID: <20191230233814.2fgmsgtnhruhklnu@ltop.local> References: <20191226152922.2034-1-ebiggers@kernel.org> <20191228114918.GU2827@hirez.programming.kicks-ass.net> <201912301042.FB806E1133@keescook> <20191230191547.GA1501@zzz.localdomain> <201912301131.2C7C51E8C6@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201912301131.2C7C51E8C6@keescook> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 30, 2019 at 11:32:31AM -0800, Kees Cook wrote: > On Mon, Dec 30, 2019 at 01:15:47PM -0600, Eric Biggers wrote: > > > > The annotation needs to go in the .h file, not the .c file, because sparse only > > analyzes individual translation units. > > > > It needs to be a wrapper macro because it needs to tie the acquisition of the > > lock to the return value being true. I.e. there's no annotation you can apply > > directly to the function prototype that means "if this function returns true, it > > acquires the lock that was passed in parameter N". > > Gotcha. Well, I guess I leave it to Will and Peter to hash out... > > Is there a meaningful proposal anywhere for sparse to DTRT here? If > not, it seems best to use what you've proposed until sparse reaches the > point of being able to do this on its own. What "Right Thing" are you thinking about? One of the simplest situation with these conditional locks is: if (test) lock(); do_stuff(); if (test) unlock(); No program can check that the second test gives the same result than the first one, it's undecidable. I mean, it's undecidable even on if single threaded and without interrupts. The best you can do is to simulate the whole thing (and be sure your simulation will halt). As far as I understand, it was the intention behind Sparse's design regarding locking ("context in sparse's parlance) to discourage such code and instead encourage to write things like: if (test) { do_stuff_unlocked(); } else { lock(); do_stuff_unlocked(); unlock(); } where it is easy to check localy that the lock/unlock are balanced. So, of course Sparse could be improved to prove that some of the conditional locks are equivalent to unconditional ones like here just above (it already does but only for very simple cases where everything is inlined) but I don't thing there is a RT. -- Luc Van Oostenryck