From: david.laight.linux@gmail.com
To: Nathan Chancellor <nathan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Arnd Bergmann <arnd@arndb.de>,
linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org,
Yury Norov <yury.norov@gmail.com>,
Lucas De Marchi <lucas.demarchi@intel.com>,
Jani Nikula <jani.nikula@intel.com>,
Vincent Mailhol <mailhol.vincent@wanadoo.fr>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: David Laight <david.laight.linux@gmail.com>
Subject: [PATCH next 11/14] bit: Strengthen compile-time tests in GENMASK() and BIT()
Date: Wed, 21 Jan 2026 14:57:28 +0000 [thread overview]
Message-ID: <20260121145731.3623-12-david.laight.linux@gmail.com> (raw)
In-Reply-To: <20260121145731.3623-1-david.laight.linux@gmail.com>
From: David Laight <david.laight.linux@gmail.com>
The current checks in GENMASK/BIT (eg reversed high/low) only work
for 'integer constant expressions' not 'compile-time constants'.
This is true for const_true() and -Wshift-count-overflow/negative.
While compile-time constants may be unusual, they can happen through
function inlining.
This isn't too bad with gcc, but if clang detects a negative/over-large
shift it treats it as 'undefined behaviour' and silently discards all
code that would use the result, so:
int f(u32 x) {int n = 32; return x >> n; }
generates a function that just contains a 'return' instruction.
If 'n' was a variable that happened to be 32, most modern cpu mask
the count - so would return 'x', some might return 0.
Add extra checks for arguments that pass __builtin_constant_p()
but are not 'integer constant expressions.
__builtin_choose_expr() isn't strong enough to allow
_Static_assert() or ({ ... }) in the other branch so non-standard
schemes are used to report the errors.
To reduce pre-processor bloat the checks are only enabled for W=c
(implied by W=1) builds (where they are errors).
Update the unit tests to match.
Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
include/linux/bits.h | 45 +++++++++++++++++++++++++++++++++----------
lib/tests/test_bits.c | 34 +++++++++++++++++++-------------
2 files changed, 56 insertions(+), 23 deletions(-)
diff --git a/include/linux/bits.h b/include/linux/bits.h
index 43631a334314..0f559038981d 100644
--- a/include/linux/bits.h
+++ b/include/linux/bits.h
@@ -23,20 +23,35 @@
#include <linux/compiler.h>
#include <linux/overflow.h>
-#define GENMASK_INPUT_CHECK(h, l) BUILD_BUG_ON_ZERO(const_true((l) > (h)))
+#ifndef KBUILD_EXTRA_WARNc
+#define GENMASK_INPUT_CHECK(h, l, width) 0
+#else
+int GENMASK_INPUT_CHECK_FAIL(void) __compiletime_error("Invalid bit numbers");
+#define GENMASK_INPUT_CHECK(h, l, width) \
+ (__builtin_choose_expr(__is_constexpr((l) > (h)), \
+ sizeof(struct { char low_bit_greater_than_high[-((l) > (h))];}), \
+ __builtin_constant_p((l) | (h)) && \
+ ((l) < 0 || (l) > (h) || (h) >= width) && \
+ GENMASK_INPUT_CHECK_FAIL()))
+#endif
/*
- * Generate a mask for the specified type @t. Additional checks are made to
- * guarantee the value returned fits in that type, relying on
- * -Wshift-count-overflow compiler check to detect incompatible arguments.
+ * Generate a mask for the specified type @t.
+ * Checks are made to guarantee the value returned fits in that type.
+ * The compiler's -Wshift-count-overflow/negative check detects invalid values
+ * from 'constant integer expressions' but not other compile time constants.
+ * Clang treats out of value constants as 'undefined behaviour' and stops
+ * generating code - so explicit checks are needed.
+ * Neither BUILD_BUG() nor BUILD_BUG_ON_ZERO() can be used.
+ *
* For example, all these create build errors or warnings:
*
* - GENMASK(15, 20): wrong argument order
* - GENMASK(72, 15): doesn't fit unsigned long
* - GENMASK_U32(33, 15): doesn't fit in a u32
*/
-#define GENMASK_TYPE(t, h, l) \
- ((unsigned int)GENMASK_INPUT_CHECK(h, l) + \
+#define GENMASK_TYPE(t, h, l) \
+ ((unsigned int)GENMASK_INPUT_CHECK(h, l, BITS_PER_TYPE(t)) + \
((t)-1 << (l) & (t)-1 >> (BITS_PER_TYPE(t) - 1 - (h))))
#endif
@@ -52,16 +67,26 @@
#if !defined(__ASSEMBLY__)
/*
* Fixed-type variants of BIT(), with additional checks like GENMASK_TYPE().
- * The following examples generate compiler warnings from BIT_INPUT_CHECK().
+ * The following examples generate compiler errors from BIT_INPUT_CHECK().
*
* - BIT_U8(8)
* - BIT_U32(-1)
* - BIT_U32(40)
*/
-#define BIT_INPUT_CHECK(type, nr) \
- BUILD_BUG_ON_ZERO(const_true((nr) >= BITS_PER_TYPE(type)))
-#define BIT_TYPE(type, nr) ((unsigned int)BIT_INPUT_CHECK(type, nr) + ((type)1 << (nr)))
+#ifndef KBUILD_EXTRA_WARNc
+#define BIT_INPUT_CHECK(nr, width) 0
+#else
+int BIT_INPUT_CHECK_FAIL(void) __compiletime_error("Bit number out of range");
+#define BIT_INPUT_CHECK(nr, width) \
+ (__builtin_choose_expr(__is_constexpr(nr), \
+ sizeof(struct { char bit_number_too_big[-((nr) >= (width))];}), \
+ __builtin_constant_p(nr) && ((nr) < 0 || (nr) >= width) && \
+ BIT_INPUT_CHECK_FAIL()))
+#endif
+
+#define BIT_TYPE(type, nr) \
+ ((unsigned int)BIT_INPUT_CHECK(+(nr), BITS_PER_TYPE(type)) + ((type)1 << (nr)))
#endif /* defined(__ASSEMBLY__) */
#define BIT_U8(nr) BIT_TYPE(u8, nr)
diff --git a/lib/tests/test_bits.c b/lib/tests/test_bits.c
index 55be8230f9e7..36eb4661e78b 100644
--- a/lib/tests/test_bits.c
+++ b/lib/tests/test_bits.c
@@ -3,6 +3,8 @@
* Test cases for functions and macros in bits.h
*/
+#define KBUILD_EXTRA_WARNc 1
+
#include <kunit/test.h>
#include <linux/bits.h>
#include <linux/types.h>
@@ -118,24 +120,30 @@ static void genmask_u128_test(struct kunit *test)
static void genmask_input_check_test(struct kunit *test)
{
- unsigned int x, y;
- int z, w;
+ unsigned int x = 1, y = 2;
+ int z = 1, w = 2;
+
+ OPTIMIZER_HIDE_VAR(x);
+ OPTIMIZER_HIDE_VAR(y);
+ OPTIMIZER_HIDE_VAR(z);
+ OPTIMIZER_HIDE_VAR(w);
/* Unknown input */
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(x, 0));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(0, x));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(x, y));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(x, 0, 32));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(0, x, 32));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(x, y, 32));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(z, 0));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(0, z));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(z, w));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(z, 0, 32));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(0, z, 32));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(z, w, 32));
/* Valid input */
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(1, 1));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(39, 21));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(100, 80));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(110, 65));
- KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(127, 0));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(1, 1, 32));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(39, 21, 64));
+
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(100, 80, 128));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(110, 65, 128));
+ KUNIT_EXPECT_EQ(test, 0, GENMASK_INPUT_CHECK(127, 0, 128));
}
--
2.39.5
next prev parent reply other threads:[~2026-01-21 14:58 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 14:57 [PATCH next 00/14] bits: De-bloat expansion of GENMASK() david.laight.linux
2026-01-21 14:57 ` [PATCH next 01/14] overflow: Reduce expansion of __type_max() david.laight.linux
2026-01-21 20:59 ` Kees Cook
2026-02-02 16:45 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 02/14] kbuild: Add W=c for additional compile time checks david.laight.linux
2026-02-02 18:33 ` Yury Norov
2026-02-02 20:07 ` David Laight
2026-02-03 4:47 ` Nathan Chancellor
2026-02-03 11:14 ` David Laight
2026-02-03 19:41 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 03/14] media: videobuf2-core: Use static_assert() for sanity check david.laight.linux
2026-01-21 14:57 ` [PATCH next 04/14] media: atomisp: " david.laight.linux
2026-01-21 14:57 ` [PATCH next 05/14] ixgbevf: Use C test for PAGE_SIZE > IXGBE_MAX_DATA_PER_TXD david.laight.linux
2026-01-23 15:44 ` Simon Horman
2026-01-21 14:57 ` [PATCH next 06/14] asm-generic: include linux/bits.h not vdso/bits.h david.laight.linux
2026-01-21 14:57 ` [PATCH next 07/14] x86/tlb: " david.laight.linux
2026-01-21 14:57 ` [PATCH next 08/14] bits: simplify GENMASK_TYPE() david.laight.linux
2026-02-08 2:36 ` Yury Norov
2026-02-09 9:42 ` David Laight
2026-01-21 14:57 ` [PATCH next 09/14] bits: Change BIT_U8/16() and GENMASK_U8/16() to have unsigned values david.laight.linux
2026-01-21 14:57 ` [PATCH next 10/14] bits: Fix assmebler expansions of GENMASK_Uxx() and BIT_Uxx() david.laight.linux
2026-02-08 3:31 ` Yury Norov
2026-02-08 11:42 ` David Laight
2026-02-08 21:20 ` Yury Norov
2026-02-08 22:27 ` David Laight
2026-01-21 14:57 ` david.laight.linux [this message]
2026-01-21 18:43 ` [PATCH next 11/14] bit: Strengthen compile-time tests in GENMASK() and BIT() Vincent Mailhol
2026-01-21 19:14 ` David Laight
2026-01-22 1:11 ` kernel test robot
2026-01-22 10:25 ` David Laight
2026-01-22 20:10 ` David Laight
2026-01-22 4:41 ` kernel test robot
2026-01-22 10:33 ` David Laight
2026-01-22 14:26 ` Andy Shevchenko
2026-01-22 14:55 ` David Laight
2026-01-23 1:25 ` Philip Li
2026-01-23 8:01 ` Vincent Mailhol
2026-01-23 8:11 ` Andy Shevchenko
2026-01-23 8:20 ` Al Viro
2026-01-23 8:24 ` Andy Shevchenko
2026-01-23 8:32 ` Vincent Mailhol
2026-01-23 8:46 ` Andy Shevchenko
2026-01-23 1:24 ` Philip Li
2026-01-21 14:57 ` [PATCH next 12/14] bits: move the defitions of BIT() and BIT_ULL() back to linux/bits.h david.laight.linux
2026-01-21 15:17 ` Thomas Weißschuh
2026-01-21 19:24 ` David Laight
2026-01-22 7:39 ` Thomas Weißschuh
2026-01-22 0:50 ` kernel test robot
2026-01-22 1:23 ` kernel test robot
2026-01-22 10:30 ` David Laight
2026-02-07 22:40 ` Thomas Gleixner
2026-02-08 4:23 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 13/14] test_bits: Change all the tests to be compile-time tests david.laight.linux
2026-02-08 4:37 ` Yury Norov
2026-02-08 11:32 ` David Laight
2026-01-21 14:57 ` [PATCH next 14/14] test_bits: include some invalid input tests for GENMASK_INPUT_CHECK() david.laight.linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260121145731.3623-12-david.laight.linux@gmail.com \
--to=david.laight.linux@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=jani.nikula@intel.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=mailhol.vincent@wanadoo.fr \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=nathan@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.