From: Al Viro <viro@ZenIV.linux.org.uk>
To: Emese Revfy <re.emese@gmail.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 28/31] Constify struct super_operations for 2.6.32 v1
Date: Wed, 9 Dec 2009 00:47:34 +0000 [thread overview]
Message-ID: <20091209004734.GO14381@ZenIV.linux.org.uk> (raw)
In-Reply-To: <4B1EEE42.6090202@gmail.com>
On Wed, Dec 09, 2009 at 01:24:34AM +0100, Emese Revfy wrote:
> If constifying the function pointer fields reduces readability,
> what would you say for turning then into typedefs, something like this:
>
> typedef int (* super_ops_statfs) (struct dentry *, struct kstatfs *);
> struct super_operations {
> ...
> const super_ops_statfs statfs;
> ...
> };
Even worse, since one has to go back to typedef to figure out WTF is
going on.
> > Moreover, you *still* are not
> > covering the real policy - these suckers should be statically allocated,
> > not just never modified.
>
> If the super ops are allocated on the stack then they will be overwritten
> during later syscalls and will eventually crash the system on a future
> dereference, that is, this kind of problem manifests during development.
>
> If the super ops are allocated by kmalloc/etc, then they will have to be
> explicitly initialised by writing to specific fields, my patch would prevent
> that.
>
> So in the end the programmer is forced to allocate and initialise super ops
> statically.
... unless they go ahead and use memcpy(), etc.
What you really want is
* no conversions to any other pointer types for pointers to it
and to any aggregate types containing it
* no conversions from any other pointer types for the same set of
types
* all objects of that type have static storage duration
* no lvalues of that type are modifiable
Which is not a job for C compiler. Yes, (4) means that memcpy() et.al.
give undefined behaviour. And you get fsck-all satisfaction from knowing
that, since C compiler is not going to warn you about it. sparse might,
if we teach it to do so. Preferably - with minimal intrusiveness of
syntax being used.
next prev parent reply other threads:[~2009-12-09 0:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-06 5:14 [PATCH 28/31] Constify struct super_operations for 2.6.32 v1 Alexey Dobriyan
2009-12-06 14:23 ` Emese Revfy
2009-12-07 18:30 ` Alexey Dobriyan
2009-12-08 0:06 ` Emese Revfy
2009-12-08 1:51 ` Al Viro
2009-12-09 0:24 ` Emese Revfy
2009-12-09 0:47 ` Al Viro [this message]
2009-12-09 8:22 ` Olivier Galibert
2009-12-10 18:24 ` Emese Revfy
2009-12-09 1:31 ` Ralf Baechle
2009-12-09 1:45 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2009-12-04 22:00 [PATCH 00/31] constify various _ops structures " Emese Revfy
2009-12-04 22:47 ` [PATCH 28/31] Constify struct super_operations " Emese Revfy
2009-12-06 1:23 ` Al Viro
2009-12-06 1:41 ` Emese Revfy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091209004734.GO14381@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=adobriyan@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=re.emese@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.