From: Michael Tokarev <mjt@tls.msk.ru>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Trivial <qemu-trivial@nongnu.org>,
Patch Tracking <patches@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-trivial] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic
Date: Sun, 06 Apr 2014 18:13:27 +0400 [thread overview]
Message-ID: <53416107.1080709@msgid.tls.msk.ru> (raw)
In-Reply-To: <CAFEAcA_uN=+R6UZ6FiRshH2XvSCYBKwcHZu5ugd_02rKeM=yDQ@mail.gmail.com>
06.04.2014 14:18, Peter Maydell wrote:
> On 6 April 2014 08:09, Michael Tokarev <mjt@tls.msk.ru> wrote:
>> 28.03.2014 19:12, Peter Maydell wrote:
>>> Add casts when we're performing arithmetic on the .hi parts of an
>>> Int128, to avoid undefined behaviour.
>> []
>>> static inline Int128 int128_sub(Int128 a, Int128 b)
>>> {
>>> - return (Int128){ a.lo - b.lo, a.hi - b.hi - (a.lo < b.lo) };
>>> + return (Int128){ a.lo - b.lo, (uint64_t)a.hi - b.hi - (a.lo < b.lo) };
>>
>> What was wrong with this one? I don't think casting to unsigned here is
>> a good idea.
>
> This patch is fixing these three clang sanitizer warnings:
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:40:
> runtime error: signed integer overflow: 0 - -9223372036854775808
> cannot be represented in type 'long'
Int128 is defined as { uint64_t lo, int64_t hi }, so the second half is
signed (because Int128 should be able to represent negative numbers too).
-9223372036854775808 is 0x8000000000000000 -- which is only sign bit = 1.
uint64_t - int64_t is already somewhat undefined - should the second
int be treated as unsigned too? (I'm sorry I don't really remember the
C specs in there).
But more to the point - the new behavour, while "defined", is just as
arbitrary as the old "undefined" behavour. On overflow we can get either
truncated or negative result, neither of which is right.
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:47:
> runtime error: signed integer overflow: -9223372036854775808 - 1
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:56:47:
> runtime error: left shift of negative value -9223372036854775807
>
> of which the first two are in this function.
>
> Note that int128_add() already has a cast.
>
> The alternative would be to say that Int128 should have
> undefined behaviour on underflow/overflow and the test
> code is wrong, but that doesn't seem very useful to me.
It is still arbitrary.
But whole thing looks more like an attempt to shut up a bogus compiler warning
really. It is not correct either way because there's just no correct way,
because the end behavour is undefined in hardware, and we _are_ emulating
hardware here.
Yes, int128_add() has a cast already, and it is just as arbitrary as this one.
So.. maybe for consistency with _add(), maybe to shut up useless warning, maybe
to have something to base units-tests on (arbitrary but defined), this can be
applied... I think :)
So, applied to -trivial ;)
Thanks,
/mjt
WARNING: multiple messages have this Message-ID (diff)
From: Michael Tokarev <mjt@tls.msk.ru>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Trivial <qemu-trivial@nongnu.org>,
Patch Tracking <patches@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [Qemu-trivial] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic
Date: Sun, 06 Apr 2014 18:13:27 +0400 [thread overview]
Message-ID: <53416107.1080709@msgid.tls.msk.ru> (raw)
In-Reply-To: <CAFEAcA_uN=+R6UZ6FiRshH2XvSCYBKwcHZu5ugd_02rKeM=yDQ@mail.gmail.com>
06.04.2014 14:18, Peter Maydell wrote:
> On 6 April 2014 08:09, Michael Tokarev <mjt@tls.msk.ru> wrote:
>> 28.03.2014 19:12, Peter Maydell wrote:
>>> Add casts when we're performing arithmetic on the .hi parts of an
>>> Int128, to avoid undefined behaviour.
>> []
>>> static inline Int128 int128_sub(Int128 a, Int128 b)
>>> {
>>> - return (Int128){ a.lo - b.lo, a.hi - b.hi - (a.lo < b.lo) };
>>> + return (Int128){ a.lo - b.lo, (uint64_t)a.hi - b.hi - (a.lo < b.lo) };
>>
>> What was wrong with this one? I don't think casting to unsigned here is
>> a good idea.
>
> This patch is fixing these three clang sanitizer warnings:
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:40:
> runtime error: signed integer overflow: 0 - -9223372036854775808
> cannot be represented in type 'long'
Int128 is defined as { uint64_t lo, int64_t hi }, so the second half is
signed (because Int128 should be able to represent negative numbers too).
-9223372036854775808 is 0x8000000000000000 -- which is only sign bit = 1.
uint64_t - int64_t is already somewhat undefined - should the second
int be treated as unsigned too? (I'm sorry I don't really remember the
C specs in there).
But more to the point - the new behavour, while "defined", is just as
arbitrary as the old "undefined" behavour. On overflow we can get either
truncated or negative result, neither of which is right.
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:47:
> runtime error: signed integer overflow: -9223372036854775808 - 1
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:56:47:
> runtime error: left shift of negative value -9223372036854775807
>
> of which the first two are in this function.
>
> Note that int128_add() already has a cast.
>
> The alternative would be to say that Int128 should have
> undefined behaviour on underflow/overflow and the test
> code is wrong, but that doesn't seem very useful to me.
It is still arbitrary.
But whole thing looks more like an attempt to shut up a bogus compiler warning
really. It is not correct either way because there's just no correct way,
because the end behavour is undefined in hardware, and we _are_ emulating
hardware here.
Yes, int128_add() has a cast already, and it is just as arbitrary as this one.
So.. maybe for consistency with _add(), maybe to shut up useless warning, maybe
to have something to base units-tests on (arbitrary but defined), this can be
applied... I think :)
So, applied to -trivial ;)
Thanks,
/mjt
next prev parent reply other threads:[~2014-04-06 14:13 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-28 15:12 [Qemu-trivial] [PATCH 0/3] More fixes for undefined behaviour Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 1/3] hw/ide/ahci.c: Avoid shift left into sign bit Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 7:10 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 7:10 ` [Qemu-devel] " Michael Tokarev
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 7:09 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 7:09 ` [Qemu-devel] " Michael Tokarev
2014-04-06 10:18 ` Peter Maydell
2014-04-06 10:18 ` [Qemu-devel] " Peter Maydell
2014-04-06 14:13 ` Michael Tokarev [this message]
2014-04-06 14:13 ` Michael Tokarev
2014-04-06 14:58 ` Peter Maydell
2014-04-06 14:58 ` [Qemu-devel] " Peter Maydell
2014-04-06 15:27 ` Peter Maydell
2014-04-06 15:27 ` [Qemu-devel] " Peter Maydell
2014-04-07 14:25 ` Richard Henderson
2014-04-07 14:25 ` [Qemu-devel] " Richard Henderson
2014-04-07 14:47 ` Peter Maydell
2014-04-07 14:47 ` [Qemu-devel] " Peter Maydell
2014-04-07 15:49 ` [Qemu-trivial] [Qemu-devel] " Markus Armbruster
2014-04-07 15:49 ` [Qemu-devel] [Qemu-trivial] " Markus Armbruster
2014-04-07 14:56 ` [Qemu-trivial] [Qemu-devel] " Avi Kivity
2014-04-07 14:56 ` [Qemu-devel] [Qemu-trivial] " Avi Kivity
2014-04-07 15:17 ` [Qemu-trivial] [Qemu-devel] " Peter Maydell
2014-04-07 15:17 ` [Qemu-devel] [Qemu-trivial] " Peter Maydell
2014-04-07 15:22 ` [Qemu-trivial] [Qemu-devel] " Avi Kivity
2014-04-07 15:22 ` [Qemu-devel] [Qemu-trivial] " Avi Kivity
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 3/3] xbzrle.c: Avoid undefined behaviour with " Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 14:15 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 14:15 ` [Qemu-devel] " Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53416107.1080709@msgid.tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=patches@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.