From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>, Keir Fraser <keir@xen.org>
Subject: Re: [PATCH] x86/vLAPIC: adjust types in internal read/write handling
Date: Mon, 22 Jun 2015 14:02:53 +0100 [thread overview]
Message-ID: <5588077D.9080908@citrix.com> (raw)
In-Reply-To: <558821F80200007800087872@mail.emea.novell.com>
On 22/06/15 13:55, Jan Beulich wrote:
>>>> On 22.06.15 at 14:15, <andrew.cooper3@citrix.com> wrote:
>> On 22/06/15 12:49, Jan Beulich wrote:
>>> @@ -847,47 +834,41 @@ static int vlapic_write(struct vcpu *v,
>>> * According to the IA32 Manual, all accesses should be 32 bits.
>>> * Some OSes do 8- or 16-byte accesses, however.
>>> */
>>> - val = (uint32_t)val;
>>> - if ( len != 4 )
>>> + if ( unlikely(len != 4) )
>>> {
>>> - unsigned int tmp;
>>> - unsigned char alignment;
>>> -
>>> - gdprintk(XENLOG_INFO, "Notice: Local APIC write with len = %lx\n",len);
>>> -
>>> - alignment = offset & 0x3;
>>> - (void)vlapic_read_aligned(vlapic, offset & ~0x3, &tmp);
>>> + unsigned int tmp = vlapic_read_aligned(vlapic, offset & ~3);
>>> + unsigned char alignment = (offset & 3) * 8;
>>>
>>> switch ( len )
>>> {
>>> case 1:
>>> - val = ((tmp & ~(0xff << (8*alignment))) |
>>> - ((val & 0xff) << (8*alignment)));
>>> + val = ((tmp & ~(0xff << alignment)) |
>>> + ((val & 0xff) << alignment));
>> These should probably be explicitly unsigned constants, to avoid issues
>> with shifting a 1 into the sign bit.
> I don't see what harm the sign bit would do here - even if the shift
> operation is one on signed int, the & converts the operand to
> unsigned int anyway (and with them being the same size, the
> binary representation doesn't change).
The problem is with 0xff << 24, which where the sign bit will change
given the shift.
If 0xff is interpreted as signed, then shifted, then promoted to
unsigned by the ~ operation, then the result is undefined behaviour
(altering the sign bit of a number with a shift).
If 0xff is interpreted as unsigned straight away, then everything is
fine, as 0xffu << 24 is completely defined behaviour.
>
>> (I can't quite decide whether 0xff
>> will be interpreted as signed or unsigned, given the integer promotion
>> rules.)
> Literal numbers representable as int will always be "promoted to"
> int.
Which suggested that the code above does demonstrate UB.
~Andrew
next prev parent reply other threads:[~2015-06-22 13:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-22 11:49 [PATCH] x86/vLAPIC: adjust types in internal read/write handling Jan Beulich
2015-06-22 12:15 ` Andrew Cooper
2015-06-22 12:55 ` Jan Beulich
2015-06-22 13:02 ` Andrew Cooper [this message]
2015-06-22 13:27 ` Jan Beulich
2015-06-22 14:06 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5588077D.9080908@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.