From: Marc Herbert <marc.herbert@linux.intel.com>
To: Dan Williams <dan.j.williams@intel.com>,
Greg KH <gregkh@linuxfoundation.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
Benjamin.Cheatham@amd.com, Jonathan.Cameron@huawei.com,
dakr@kernel.org, linux-acpi@vger.kernel.org,
linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org,
rafael.j.wysocki@intel.com, rafael@kernel.org,
sudeep.holla@arm.com, Dan Carpenter <dan.carpenter@linaro.org>,
Kees Cook <kees@kernel.org>
Subject: Re: [PATCH] driver core: faux: fix Undefined Behavior in faux_device_destroy()
Date: Wed, 18 Jun 2025 20:33:27 -0700 [thread overview]
Message-ID: <206ebae8-4e2d-4e04-8872-fa3a56b3e398@linux.intel.com> (raw)
In-Reply-To: <6853586e9d366_1f9e10087@dwillia2-xfh.jf.intel.com.notmuch>
On 2025-06-18 17:23, Dan Williams wrote:
> Marc Herbert wrote:
> [..]
>> In other words, by turning this off unconditionally at the global level,
>> the kernel could actually lose (surprise!) some performance.
>
> I expect the answer is that any compiler that does fail to convert this
> to defined behavior is not suitable for compiling the kernel.
>
> The issue is not "oh hey, this fixup in this case is tiny", it is
> "changing this precedent implicates a large flag day audit". I am
> certain this is one of many optimizations that the kernel is willing to
> sacrifice.
None of these ideas crossed my mind:
- dropping -fno-delete-null-pointer-checks
- anything "large" like a "flag day audit" or any large cleanup/refactoring/etc.
Sorry for the confusion.
During the discussion, some seemed to perceive
-fno-delete-null-pointer-checks as a "performance-neutral" choice. So I
just tried to correct that impression "in passing", but please do _not_
read too much into it.
What I was really interested in:
1. Is it acceptable to swap two lines to _locally_ get rid of C Fear,
Uncertainty and Doubt and time-consuming consultations with language
lawyers. On a _case-by-case_ basis.
2. Are C99 declarations acceptable.
3. Do tooling and "convergence" with other C projects matter.
Note "acceptable" != mandatory; _allowing_ C99 declarations does NOT
imply scanning existing code and systematically reducing variable scope
everywhere possible. Same as every other "new" C feature.
I think these were valid "policy" questions, that this "poster child"
was an efficient way to ask all of them with a ridiculously small amount
of code and I think I got loud and clear answers. Case closed, moving on!
> Otherwise, the massive effort to remove undefined behavior from the
> kernel and allow for complier optimzations around that removal is called
> the "Rust for Linux" project.
Nice one!
On 2025-06-18 19:35, Dan Carpenter wrote:
> But, again, this is a totally different thing from what the patch does.
> The faux_device_destroy() code is not doing a dereference, it's doing
> pointer math.
pointer math is what we _want_ the code to do. But if that relies on
some undefined behavior(s) then the bets are off again. Check
https://stackoverflow.com/questions/26906621/does-struct-name-null-b-cause-undefined-behaviour-in-c11
where offsetof() is a suggested alternative.
Spoiler alert: more language lawyers. Do not click ;-)
next prev parent reply other threads:[~2025-06-19 3:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-13 19:15 [PATCH] driver core: faux: fix Undefined Behavior in faux_device_destroy() marc.herbert
2025-06-13 20:20 ` Miguel Ojeda
2025-06-14 0:33 ` Greg KH
2025-06-14 10:50 ` Miguel Ojeda
2025-06-14 11:53 ` Greg KH
2025-06-14 14:53 ` Marc Herbert
2025-06-16 3:35 ` Greg KH
2025-06-16 14:02 ` Alice Ryhl
2025-06-18 23:43 ` Marc Herbert
2025-06-19 0:23 ` Dan Williams
2025-06-19 2:35 ` Dan Carpenter
2025-06-19 3:33 ` Marc Herbert [this message]
2025-06-19 4:02 ` Dan Carpenter
2025-06-26 0:55 ` Kent Overstreet
2025-06-30 23:24 ` Marc Herbert
2025-06-25 15:20 ` Dan Carpenter
2025-06-25 22:30 ` Marc Herbert
2025-06-25 23:18 ` Dan Carpenter
2025-06-25 15:21 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=206ebae8-4e2d-4e04-8872-fa3a56b3e398@linux.intel.com \
--to=marc.herbert@linux.intel.com \
--cc=Benjamin.Cheatham@amd.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=dakr@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=kees@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rafael.j.wysocki@intel.com \
--cc=rafael@kernel.org \
--cc=sudeep.holla@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.