Re: [Qemu-devel] [PATCH 1/2] target-i386: Use 1UL for bit shift

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [PATCH 1/2] target-i386: Use 1UL for bit shift
Date: Fri, 2 Oct 2015 10:34:52 +0200	[thread overview]
Message-ID: <560E41AC.2030706@redhat.com> (raw)
In-Reply-To: <560D86BE.1050404@redhat.com>

On 01/10/2015 21:17, Laszlo Ersek wrote:
> - In the firmware, allocate an array of bytes, dynamically. This array
>   will have no declared type.
> 
> - Populate the array byte-wise, from fw_cfg. Because the stores happen
>   through character-typed lvalues, they do not "imbue" the target
>   object with any effective type, for further accesses that do not
>   modify the value. (I.e., for further reads.)
> 
> - Get a (uint8_t*) into the array somewhere, and cast it to
>   (struct acpi_table_hdr *). Read fields through the cast pointer.
>   Assuming no out-of-bounds situation (considering the entire
>   pointed to acpi_table_hdr struct), and assuming no alignment
>   violations for the fields (which is implementation-defined), these
>   accesses will be fine.
> 
> *However*. If in point 2 you populate the array with uint64_t accesses,
> that *does* imbue the array elements with an effective type that is
> binding for further read accesses.

Then don't do it.  Use memcpy from uint64_t to the array.  Type punning
has other problems than aliasing---for example some architectures
require pointers to be correctly aligned when accessing objects bigger
than a byte.

> ... I don't know who on earth has brain capacity for tracking this.

If you can't understand a rule (or understanding it burns too much of
your brain cycles), just find a pattern that lets you respect it without
much thought. For strict aliasing it's just "don't cast pointer types"
with a single exception, namely casting a pointer to struct to a pointer
to the first member's type and the other way round.  Everything else can
either be expressed as container_of, or simply prohibited.

> Effective type *does* propagate in a trackable manner, but it is one
> order of magnitude harder to follow for humans than integer conversions
> -- and resultant ranges -- are (and those are hard enough already!).

Integer conversions are already too much for me, in fact.

Here my pattern there is just: 1) use uint16_t as sparsely as possible
(because the result of a multiplication can overflow, unlike uint8_t);
2) never write unsigned int constants---this doesn't apply to unsigned
long long constants, which instead I use liberally; 3) rely heavily on
Coverity to detect narrow types being used as {,u}int64_t after
arithmetic has been done on int.

Never writing unsigned int constants conflicts heavily with this ubsan
rule.  And I can always use the excuse that I'm writing gnu89 code
rather than c99. :)

Paolo

next prev parent reply	other threads:[~2015-10-02  8:35 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-29 20:34 [Qemu-devel] [PATCH 0/2] target-i386: Fix undefined behavior on bit shifts Eduardo Habkost
2015-09-29 20:34 ` [Qemu-devel] [PATCH 1/2] target-i386: Use 1UL for bit shift Eduardo Habkost
2015-09-30 13:27   ` Paolo Bonzini
2015-09-30 20:24     ` Richard Henderson
2015-10-01  8:29       ` Paolo Bonzini
2015-10-01  9:24       ` Peter Maydell
2015-10-01 13:52         ` Paolo Bonzini
2015-10-01 17:07           ` Laszlo Ersek
2015-10-01 17:30             ` Paolo Bonzini
2015-10-01 17:38               ` Peter Maydell
2015-10-01 19:17                 ` Laszlo Ersek
2015-10-02  8:34                   ` Paolo Bonzini [this message]
2015-10-02 11:14                     ` Laszlo Ersek
2015-10-02 12:07                       ` Paolo Bonzini
2015-10-04  2:34                         ` Kevin O'Connor
2015-10-01 20:35                 ` Markus Armbruster
2015-10-01 18:40               ` Laszlo Ersek
2015-10-02  8:48                 ` Paolo Bonzini
2015-09-29 20:34 ` [Qemu-devel] [PATCH 2/2] target-i386: Don't left shift negative constant Eduardo Habkost
2015-10-01  1:35   ` Richard Henderson
2015-10-01 17:06     ` Eduardo Habkost
2015-10-23 15:07       ` Eduardo Habkost
2015-10-23 18:20         ` Richard Henderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=560E41AC.2030706@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=ehabkost@redhat.com \
    --cc=lersek@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=rth@twiddle.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.