Return-Path: Received: from mail-yb1-f195.google.com ([209.85.219.195]:33875 "EHLO mail-yb1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728062AbeJVR7N (ORCPT ); Mon, 22 Oct 2018 13:59:13 -0400 Received: by mail-yb1-f195.google.com with SMTP id n140-v6so1025060yba.1 for ; Mon, 22 Oct 2018 02:41:27 -0700 (PDT) Received: from mail-yb1-f172.google.com (mail-yb1-f172.google.com. [209.85.219.172]) by smtp.gmail.com with ESMTPSA id k2-v6sm8765513ywh.52.2018.10.22.02.41.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Oct 2018 02:41:26 -0700 (PDT) Received: by mail-yb1-f172.google.com with SMTP id n140-v6so1025042yba.1 for ; Mon, 22 Oct 2018 02:41:26 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <20181021171414.22674-1-miguel.ojeda.sandonis@gmail.com> <20181021171414.22674-2-miguel.ojeda.sandonis@gmail.com> <20181021222712.GI1617@thunk.org> From: Kees Cook Date: Mon, 22 Oct 2018 02:34:13 -0700 Message-ID: Subject: Re: [PATCH 1/2] Compiler Attributes: add support for __fallthrough (gcc >= 7.1) To: Miguel Ojeda , "Gustavo A. R. Silva" Cc: "Ted Ts'o" , Greg KH , linux-kernel , Dan , Andreas Dilger , Masahiro Yamada , Michal Marek , Steven Rostedt , Mauro Carvalho Chehab , Olof Johansson , Konstantin Ryabitsev , David Miller , Andrey Ryabinin , Thomas Gleixner , Ingo Molnar , Paul Lawrence , Sandipan Das , Andrey Konovalov , David Woodhouse , Will Deacon , Philippe Ombredanne , Paul Burton , David Rientjes , Willy Tarreau , Martin Sebor , Christopher Li , Jonathan Corbet , Geert Uytterhoeven , Rasmus Villemoes , Joe Perches , Arnd Bergmann , Dominique Martinet , Stefan Agner , Luc Van Oostenryck , Nick Desaulniers , Andrew Morton , Linus Torvalds , Linux Doc Mailing List , Ext4 Developers List , Sparse Mailing-list , linux-kbuild Content-Type: text/plain; charset="UTF-8" Sender: linux-ext4-owner@vger.kernel.org List-ID: On Mon, Oct 22, 2018 at 2:26 AM, Miguel Ojeda wrote: > On Mon, Oct 22, 2018 at 12:27 AM Theodore Y. Ts'o wrote: >> >> On Sun, Oct 21, 2018 at 07:14:13PM +0200, Miguel Ojeda wrote: >> > From the GCC manual: >> > >> > fallthrough >> > >> > The fallthrough attribute with a null statement serves as a >> > fallthrough statement. It hints to the compiler that a statement >> > that falls through to another case label, or user-defined label >> > in a switch statement is intentional and thus the -Wimplicit-fallthrough >> > warning must not trigger. The fallthrough attribute may appear >> > at most once in each attribute list, and may not be mixed with >> > other attributes. It can only be used in a switch statement >> > (the compiler will issue an error otherwise), after a preceding >> > statement and before a logically succeeding case label, >> > or user-defined label. >> > >> > https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html Please CC Gustavo on these kinds of things -- he's been driving the bulk of the fall through coverage. >> Do we know if coverity understands the fallthrough attribute? One of >> the reasons why I started using /* fallthrough */ is because it kept >> Coverity happy. > > If Coverity is like gcc, they should be doing both (i.e. I see the > comment parsing as an "extra" that gcc did, but the "basic stuff" is > the attribute -- and I would guess it is way easier for them to > support than the comment parsing). > > But I cannot test it myself :-( Someone, please? > > However, if I understood Greg correctly in his reply to the cover > letter, he replied that Coverity knows about it (?). > >> >> If the conversion from /* fallthrough */ to the __fallthrough__ >> attribute means that we start gethting a lot of Coverity warnings, >> that would be unfortunate. OTOH, if this is getting standardized, >> maybe we can get Coverity to understand this attribute? > > Indeed! That would be the best for everyone, including Coverity customers. We need to make sure the static analyzers are happy with either method. Additionally, when was -Wimplicit-fallthrough added to GCC? If it was added _before_ the attribute, we need to continue using the comment style otherwise we lose coverage even with gcc itself. Additionally, does Clang support this attribute (it supports -Wimplicit-fallthrough). -Kees -- Kees Cook Pixel Security