From: Avi Kivity <avi@cloudius-systems.com>
To: Peter Maydell <peter.maydell@linaro.org>,
Michael Tokarev <mjt@tls.msk.ru>
Cc: QEMU Trivial <qemu-trivial@nongnu.org>,
Patch Tracking <patches@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-trivial] [Qemu-devel] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic
Date: Mon, 07 Apr 2014 17:56:22 +0300 [thread overview]
Message-ID: <5342BC96.6010204@cloudius-systems.com> (raw)
In-Reply-To: <CAFEAcA_uN=+R6UZ6FiRshH2XvSCYBKwcHZu5ugd_02rKeM=yDQ@mail.gmail.com>
On 04/06/2014 01:18 PM, Peter Maydell wrote:
> On 6 April 2014 08:09, Michael Tokarev <mjt@tls.msk.ru> wrote:
>> 28.03.2014 19:12, Peter Maydell wrote:
>>> Add casts when we're performing arithmetic on the .hi parts of an
>>> Int128, to avoid undefined behaviour.
>> []
>>> static inline Int128 int128_sub(Int128 a, Int128 b)
>>> {
>>> - return (Int128){ a.lo - b.lo, a.hi - b.hi - (a.lo < b.lo) };
>>> + return (Int128){ a.lo - b.lo, (uint64_t)a.hi - b.hi - (a.lo < b.lo) };
>> What was wrong with this one? I don't think casting to unsigned here is
>> a good idea.
> This patch is fixing these three clang sanitizer warnings:
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:40:
> runtime error: signed integer overflow: 0 - -9223372036854775808
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:47:
> runtime error: signed integer overflow: -9223372036854775808 - 1
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:56:47:
> runtime error: left shift of negative value -9223372036854775807
>
> of which the first two are in this function.
>
> Note that int128_add() already has a cast.
>
> The alternative would be to say that Int128 should have
> undefined behaviour on underflow/overflow and the test
> code is wrong, but that doesn't seem very useful to me.
>
>
Isn't the test broken here? It is trying to add (or shift) -2^127 and
something else, and the result truly overflows.
A better behaviour would be to abort when this happens. Int128 was
designed to avoid silent overflows, not to silently cause breakage.
Not that I think it is necessary, there is no way for the guest to
trigger an overflow.
WARNING: multiple messages have this Message-ID (diff)
From: Avi Kivity <avi@cloudius-systems.com>
To: Peter Maydell <peter.maydell@linaro.org>,
Michael Tokarev <mjt@tls.msk.ru>
Cc: QEMU Trivial <qemu-trivial@nongnu.org>,
Patch Tracking <patches@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [Qemu-trivial] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic
Date: Mon, 07 Apr 2014 17:56:22 +0300 [thread overview]
Message-ID: <5342BC96.6010204@cloudius-systems.com> (raw)
In-Reply-To: <CAFEAcA_uN=+R6UZ6FiRshH2XvSCYBKwcHZu5ugd_02rKeM=yDQ@mail.gmail.com>
On 04/06/2014 01:18 PM, Peter Maydell wrote:
> On 6 April 2014 08:09, Michael Tokarev <mjt@tls.msk.ru> wrote:
>> 28.03.2014 19:12, Peter Maydell wrote:
>>> Add casts when we're performing arithmetic on the .hi parts of an
>>> Int128, to avoid undefined behaviour.
>> []
>>> static inline Int128 int128_sub(Int128 a, Int128 b)
>>> {
>>> - return (Int128){ a.lo - b.lo, a.hi - b.hi - (a.lo < b.lo) };
>>> + return (Int128){ a.lo - b.lo, (uint64_t)a.hi - b.hi - (a.lo < b.lo) };
>> What was wrong with this one? I don't think casting to unsigned here is
>> a good idea.
> This patch is fixing these three clang sanitizer warnings:
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:40:
> runtime error: signed integer overflow: 0 - -9223372036854775808
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:81:47:
> runtime error: signed integer overflow: -9223372036854775808 - 1
> cannot be represented in type 'long'
> /home/petmay01/linaro/qemu-from-laptop/qemu/include/qemu/int128.h:56:47:
> runtime error: left shift of negative value -9223372036854775807
>
> of which the first two are in this function.
>
> Note that int128_add() already has a cast.
>
> The alternative would be to say that Int128 should have
> undefined behaviour on underflow/overflow and the test
> code is wrong, but that doesn't seem very useful to me.
>
>
Isn't the test broken here? It is trying to add (or shift) -2^127 and
something else, and the result truly overflows.
A better behaviour would be to abort when this happens. Int128 was
designed to avoid silent overflows, not to silently cause breakage.
Not that I think it is necessary, there is no way for the guest to
trigger an overflow.
next prev parent reply other threads:[~2014-04-07 21:00 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-28 15:12 [Qemu-trivial] [PATCH 0/3] More fixes for undefined behaviour Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 1/3] hw/ide/ahci.c: Avoid shift left into sign bit Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 7:10 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 7:10 ` [Qemu-devel] " Michael Tokarev
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 2/3] int128.h: Avoid undefined behaviours involving signed arithmetic Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 7:09 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 7:09 ` [Qemu-devel] " Michael Tokarev
2014-04-06 10:18 ` Peter Maydell
2014-04-06 10:18 ` [Qemu-devel] " Peter Maydell
2014-04-06 14:13 ` Michael Tokarev
2014-04-06 14:13 ` [Qemu-devel] " Michael Tokarev
2014-04-06 14:58 ` Peter Maydell
2014-04-06 14:58 ` [Qemu-devel] " Peter Maydell
2014-04-06 15:27 ` Peter Maydell
2014-04-06 15:27 ` [Qemu-devel] " Peter Maydell
2014-04-07 14:25 ` Richard Henderson
2014-04-07 14:25 ` [Qemu-devel] " Richard Henderson
2014-04-07 14:47 ` Peter Maydell
2014-04-07 14:47 ` [Qemu-devel] " Peter Maydell
2014-04-07 15:49 ` [Qemu-trivial] [Qemu-devel] " Markus Armbruster
2014-04-07 15:49 ` [Qemu-devel] [Qemu-trivial] " Markus Armbruster
2014-04-07 14:56 ` Avi Kivity [this message]
2014-04-07 14:56 ` Avi Kivity
2014-04-07 15:17 ` [Qemu-trivial] [Qemu-devel] " Peter Maydell
2014-04-07 15:17 ` [Qemu-devel] [Qemu-trivial] " Peter Maydell
2014-04-07 15:22 ` [Qemu-trivial] [Qemu-devel] " Avi Kivity
2014-04-07 15:22 ` [Qemu-devel] [Qemu-trivial] " Avi Kivity
2014-03-28 15:12 ` [Qemu-trivial] [PATCH 3/3] xbzrle.c: Avoid undefined behaviour with " Peter Maydell
2014-03-28 15:12 ` [Qemu-devel] " Peter Maydell
2014-04-06 14:15 ` [Qemu-trivial] " Michael Tokarev
2014-04-06 14:15 ` [Qemu-devel] " Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5342BC96.6010204@cloudius-systems.com \
--to=avi@cloudius-systems.com \
--cc=mjt@tls.msk.ru \
--cc=patches@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.