From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Damien Hedde <damien.hedde@greensocs.com>,
qemu-arm@nongnu.org, qemu-devel@nongnu.org,
Juan Quintela <quintela@redhat.com>
Subject: Re: [Qemu-arm] [PATCH for-4.1? 2/2] vmstate.h: Type check VMSTATE_STRUCT_VARRAY macros
Date: Thu, 25 Jul 2019 18:27:12 +0100 [thread overview]
Message-ID: <20190725172712.GM2656@work-vm> (raw)
In-Reply-To: <20190725163710.11703-3-peter.maydell@linaro.org>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> The VMSTATE_STRUCT_VARRAY_UINT32 macro is intended to handle
> migrating a field which is an array of structs, but where instead of
> migrating the entire array we only migrate a variable number of
> elements of it.
>
> The VMSTATE_STRUCT_VARRAY_POINTER_UINT32 macro is intended to handle
> migrating a field which is of pointer type, and points to a
> dynamically allocated array of structs of variable size.
>
> We weren't actually checking that the field passed to
> VMSTATE_STRUCT_VARRAY_UINT32 really is an array, with the result that
> accidentally using it where the _POINTER_ macro was intended would
> compile but silently corrupt memory on migration.
>
> Add type-checking that enforces that the field passed in is
> really of the right array type. This applies to all the VMSTATE
> macros which use flags including VMS_VARRAY_* but not VMS_POINTER.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> include/migration/vmstate.h | 27 +++++++++++++++++++++------
> 1 file changed, 21 insertions(+), 6 deletions(-)
>
> diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
> index ca68584eba4..2df333c3612 100644
> --- a/include/migration/vmstate.h
> +++ b/include/migration/vmstate.h
> @@ -227,8 +227,19 @@ extern const VMStateInfo vmstate_info_bitmap;
> extern const VMStateInfo vmstate_info_qtailq;
>
> #define type_check_2darray(t1,t2,n,m) ((t1(*)[n][m])0 - (t2*)0)
> +/* Check that t2 is an array of t1 of size n */
> #define type_check_array(t1,t2,n) ((t1(*)[n])0 - (t2*)0)
I'd have to admit I don't understand why that does what you say;
I'd expected something to index a t2 pointer with [n].
However, for the rest of it, from migration I'm happy:
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
given it's just fixing an ARM bug, and given it'll blow up straight away
I think it's OK for 4.1; the only risk is if we find a compiler we don't
like.
> #define type_check_pointer(t1,t2) ((t1**)0 - (t2*)0)
> +/*
> + * type of element 0 of the specified (array) field of the type.
> + * Note that if the field is a pointer then this will return the
> + * pointed-to type rather than complaining.
> + */
> +#define typeof_elt_of_field(type, field) typeof(((type *)0)->field[0])
> +/* Check that field f in struct type t2 is an array of t1, of any size */
> +#define type_check_varray(t1, t2, f) \
> + (type_check(t1, typeof_elt_of_field(t2, f)) \
> + + QEMU_BUILD_BUG_ON_ZERO(!QEMU_IS_ARRAY(((t2 *)0)->f)))
>
> #define vmstate_offset_value(_state, _field, _type) \
> (offsetof(_state, _field) + \
> @@ -253,6 +264,10 @@ extern const VMStateInfo vmstate_info_qtailq;
> vmstate_offset_array(_state, _field, uint8_t, \
> sizeof(typeof_field(_state, _field)))
>
> +#define vmstate_offset_varray(_state, _field, _type) \
> + (offsetof(_state, _field) + \
> + type_check_varray(_type, _state, _field))
> +
> /* In the macros below, if there is a _version, that means the macro's
> * field will be processed only if the version being received is >=
> * the _version specified. In general, if you add a new field, you
> @@ -347,7 +362,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_UINT32|VMS_MULTIPLY_ELEMENTS, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_ARRAY_TEST(_field, _state, _num, _test, _info, _type) {\
> @@ -376,7 +391,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_INT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_VARRAY_INT32(_field, _state, _field_num, _version, _info, _type) {\
> @@ -416,7 +431,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_UINT16, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_VSTRUCT_TEST(_field, _state, _test, _version, _vmsd, _type, _struct_version) { \
> @@ -520,7 +535,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_UINT8, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> /* a variable length array (i.e. _type *_field) but we know the
> @@ -573,7 +588,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_INT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_STRUCT_VARRAY_UINT32(_field, _state, _field_num, _version, _vmsd, _type) { \
> @@ -583,7 +598,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_UINT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_STRUCT_VARRAY_ALLOC(_field, _state, _field_num, _version, _vmsd, _type) {\
> --
> 2.20.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Damien Hedde <damien.hedde@greensocs.com>,
qemu-arm@nongnu.org, qemu-devel@nongnu.org,
Juan Quintela <quintela@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-4.1? 2/2] vmstate.h: Type check VMSTATE_STRUCT_VARRAY macros
Date: Thu, 25 Jul 2019 18:27:12 +0100 [thread overview]
Message-ID: <20190725172712.GM2656@work-vm> (raw)
In-Reply-To: <20190725163710.11703-3-peter.maydell@linaro.org>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> The VMSTATE_STRUCT_VARRAY_UINT32 macro is intended to handle
> migrating a field which is an array of structs, but where instead of
> migrating the entire array we only migrate a variable number of
> elements of it.
>
> The VMSTATE_STRUCT_VARRAY_POINTER_UINT32 macro is intended to handle
> migrating a field which is of pointer type, and points to a
> dynamically allocated array of structs of variable size.
>
> We weren't actually checking that the field passed to
> VMSTATE_STRUCT_VARRAY_UINT32 really is an array, with the result that
> accidentally using it where the _POINTER_ macro was intended would
> compile but silently corrupt memory on migration.
>
> Add type-checking that enforces that the field passed in is
> really of the right array type. This applies to all the VMSTATE
> macros which use flags including VMS_VARRAY_* but not VMS_POINTER.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> include/migration/vmstate.h | 27 +++++++++++++++++++++------
> 1 file changed, 21 insertions(+), 6 deletions(-)
>
> diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
> index ca68584eba4..2df333c3612 100644
> --- a/include/migration/vmstate.h
> +++ b/include/migration/vmstate.h
> @@ -227,8 +227,19 @@ extern const VMStateInfo vmstate_info_bitmap;
> extern const VMStateInfo vmstate_info_qtailq;
>
> #define type_check_2darray(t1,t2,n,m) ((t1(*)[n][m])0 - (t2*)0)
> +/* Check that t2 is an array of t1 of size n */
> #define type_check_array(t1,t2,n) ((t1(*)[n])0 - (t2*)0)
I'd have to admit I don't understand why that does what you say;
I'd expected something to index a t2 pointer with [n].
However, for the rest of it, from migration I'm happy:
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
given it's just fixing an ARM bug, and given it'll blow up straight away
I think it's OK for 4.1; the only risk is if we find a compiler we don't
like.
> #define type_check_pointer(t1,t2) ((t1**)0 - (t2*)0)
> +/*
> + * type of element 0 of the specified (array) field of the type.
> + * Note that if the field is a pointer then this will return the
> + * pointed-to type rather than complaining.
> + */
> +#define typeof_elt_of_field(type, field) typeof(((type *)0)->field[0])
> +/* Check that field f in struct type t2 is an array of t1, of any size */
> +#define type_check_varray(t1, t2, f) \
> + (type_check(t1, typeof_elt_of_field(t2, f)) \
> + + QEMU_BUILD_BUG_ON_ZERO(!QEMU_IS_ARRAY(((t2 *)0)->f)))
>
> #define vmstate_offset_value(_state, _field, _type) \
> (offsetof(_state, _field) + \
> @@ -253,6 +264,10 @@ extern const VMStateInfo vmstate_info_qtailq;
> vmstate_offset_array(_state, _field, uint8_t, \
> sizeof(typeof_field(_state, _field)))
>
> +#define vmstate_offset_varray(_state, _field, _type) \
> + (offsetof(_state, _field) + \
> + type_check_varray(_type, _state, _field))
> +
> /* In the macros below, if there is a _version, that means the macro's
> * field will be processed only if the version being received is >=
> * the _version specified. In general, if you add a new field, you
> @@ -347,7 +362,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_UINT32|VMS_MULTIPLY_ELEMENTS, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_ARRAY_TEST(_field, _state, _num, _test, _info, _type) {\
> @@ -376,7 +391,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_INT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_VARRAY_INT32(_field, _state, _field_num, _version, _info, _type) {\
> @@ -416,7 +431,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .info = &(_info), \
> .size = sizeof(_type), \
> .flags = VMS_VARRAY_UINT16, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_VSTRUCT_TEST(_field, _state, _test, _version, _vmsd, _type, _struct_version) { \
> @@ -520,7 +535,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_UINT8, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> /* a variable length array (i.e. _type *_field) but we know the
> @@ -573,7 +588,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_INT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_STRUCT_VARRAY_UINT32(_field, _state, _field_num, _version, _vmsd, _type) { \
> @@ -583,7 +598,7 @@ extern const VMStateInfo vmstate_info_qtailq;
> .vmsd = &(_vmsd), \
> .size = sizeof(_type), \
> .flags = VMS_STRUCT|VMS_VARRAY_UINT32, \
> - .offset = offsetof(_state, _field), \
> + .offset = vmstate_offset_varray(_state, _field, _type), \
> }
>
> #define VMSTATE_STRUCT_VARRAY_ALLOC(_field, _state, _field_num, _version, _vmsd, _type) {\
> --
> 2.20.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2019-07-25 17:27 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-25 16:37 [Qemu-arm] [PATCH for-4.1? 0/2] Typecheck VMSTATE VARRAY macros and fix bug found Peter Maydell
2019-07-25 16:37 ` [Qemu-devel] " Peter Maydell
2019-07-25 16:37 ` [Qemu-devel] [PATCH for-4.1? 1/2] stellaris_input: Fix vmstate description of buttons field Peter Maydell
2019-07-25 17:02 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-25 17:02 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-25 17:40 ` [Qemu-arm] " Philippe Mathieu-Daudé
2019-07-25 17:40 ` Philippe Mathieu-Daudé
2019-07-26 9:52 ` [Qemu-arm] " Peter Maydell
2019-07-26 9:52 ` Peter Maydell
2019-07-26 9:59 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-26 9:59 ` Dr. David Alan Gilbert
2019-07-26 10:03 ` [Qemu-arm] " Peter Maydell
2019-07-26 10:03 ` Peter Maydell
2019-07-25 17:59 ` [Qemu-arm] " Peter Maydell
2019-07-25 17:59 ` [Qemu-devel] " Peter Maydell
2019-07-25 18:32 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-25 18:32 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 8:25 ` [Qemu-arm] " Damien Hedde
2019-07-26 8:25 ` Damien Hedde
2019-07-26 8:47 ` [Qemu-arm] " Peter Maydell
2019-07-26 8:47 ` Peter Maydell
2019-07-25 16:37 ` [Qemu-devel] [PATCH for-4.1? 2/2] vmstate.h: Type check VMSTATE_STRUCT_VARRAY macros Peter Maydell
2019-07-25 17:27 ` Dr. David Alan Gilbert [this message]
2019-07-25 17:27 ` Dr. David Alan Gilbert
2019-07-25 17:57 ` [Qemu-arm] " Peter Maydell
2019-07-25 17:57 ` [Qemu-devel] " Peter Maydell
2019-07-25 18:00 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-25 18:00 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 9:24 ` [Qemu-arm] " Peter Maydell
2019-07-26 9:24 ` [Qemu-devel] " Peter Maydell
2019-07-26 9:32 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-26 9:32 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 9:33 ` [Qemu-arm] " Peter Maydell
2019-07-26 9:33 ` [Qemu-devel] " Peter Maydell
2019-07-26 9:34 ` [Qemu-arm] " Dr. David Alan Gilbert
2019-07-26 9:34 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 9:12 ` [Qemu-arm] " Damien Hedde
2019-07-26 9:12 ` Damien Hedde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190725172712.GM2656@work-vm \
--to=dgilbert@redhat.com \
--cc=damien.hedde@greensocs.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.