Re: [PATCH 28/31] Constify struct super_operations for 2.6.32 v1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Emese Revfy <re.emese@gmail.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
	linux-kernel@vger.kernel.org, ralf@linux-mips.org
Subject: Re: [PATCH 28/31] Constify struct super_operations for 2.6.32 v1
Date: Thu, 10 Dec 2009 19:24:21 +0100	[thread overview]
Message-ID: <4B213CD5.1070403@gmail.com> (raw)
In-Reply-To: <20091209004734.GO14381@ZenIV.linux.org.uk>

Al Viro wrote:
> On Wed, Dec 09, 2009 at 01:24:34AM +0100, Emese Revfy wrote:
> 
>> If constifying the function pointer fields reduces readability,
>> what would you say for turning then into typedefs, something like this:
>>
>> typedef int (* super_ops_statfs) (struct dentry *, struct kstatfs *);
>> struct super_operations {
>> ...
>> 	const super_ops_statfs statfs;
>> ...
>> };
> 
> Even worse, since one has to go back to typedef to figure out WTF is
> going on.
>  
>>> Moreover, you *still* are not
>>> covering the real policy - these suckers should be statically allocated,
>>> not just never modified.
>> If the super ops are allocated on the stack then they will be overwritten
>> during later syscalls and will eventually crash the system on a future
>> dereference, that is, this kind of problem manifests during development.
>>
>> If the super ops are allocated by kmalloc/etc, then they will have to be
>> explicitly initialised by writing to specific fields, my patch would prevent
>> that.
>>
>> So in the end the programmer is forced to allocate and initialise super ops
>> statically.
> 
> ... unless they go ahead and use memcpy(), etc.
> 
> What you really want is
> 	* no conversions to any other pointer types for pointers to it
> and to any aggregate types containing it
> 	* no conversions from any other pointer types for the same set of
> types
> 	* all objects of that type have static storage duration
> 	* no lvalues of that type are modifiable
> 
> Which is not a job for C compiler.  Yes, (4) means that memcpy() et.al.
> give undefined behaviour.  And you get fsck-all satisfaction from knowing
> that, since C compiler is not going to warn you about it.  sparse might,
> if we teach it to do so.  Preferably - with minimal intrusiveness of
> syntax being used.

I think, all these instruments (constification, sparse, etc.) are not 
for preventing a programmer from circumventing the policy (that's impossible),
but to make it easy for the reviewer to notice it when he does so.
My patch achieves this in a very simple way for the currently uncovered case of dynamically
allocated ops structures.
--
Emese

next prev parent reply	other threads:[~2009-12-10 18:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-06  5:14 [PATCH 28/31] Constify struct super_operations for 2.6.32 v1 Alexey Dobriyan
2009-12-06 14:23 ` Emese Revfy
2009-12-07 18:30   ` Alexey Dobriyan
2009-12-08  0:06     ` Emese Revfy
2009-12-08  1:51       ` Al Viro
2009-12-09  0:24         ` Emese Revfy
2009-12-09  0:47           ` Al Viro
2009-12-09  8:22             ` Olivier Galibert
2009-12-10 18:24             ` Emese Revfy [this message]
2009-12-09  1:31 ` Ralf Baechle
2009-12-09  1:45   ` Al Viro
  -- strict thread matches above, loose matches on Subject: below --
2009-12-04 22:00 [PATCH 00/31] constify various _ops structures " Emese Revfy
2009-12-04 22:47 ` [PATCH 28/31] Constify struct super_operations " Emese Revfy
2009-12-06  1:23   ` Al Viro
2009-12-06  1:41     ` Emese Revfy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B213CD5.1070403@gmail.com \
    --to=re.emese@gmail.com \
    --cc=adobriyan@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ralf@linux-mips.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.