From: Andreas Hindborg <nmi@metaspace.dk>
To: Alice Ryhl <aliceryhl@google.com>
Cc: Boqun Feng <boqun.feng@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Miguel Ojeda <ojeda@kernel.org>,
John Stultz <jstultz@google.com>,
Stephen Boyd <sboyd@kernel.org>,
Alex Gaynor <alex.gaynor@gmail.com>,
Wedson Almeida Filho <wedsonaf@gmail.com>,
Gary Guo <gary@garyguo.net>,
bjorn3_gh@protonmail.com, Benno Lossin <benno.lossin@proton.me>,
Andreas Hindborg <a.hindborg@samsung.com>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] rust: time: Use wrapping_sub() for Ktime::sub()
Date: Thu, 25 Apr 2024 11:00:31 +0200 [thread overview]
Message-ID: <877cgln7f4.fsf@metaspace.dk> (raw)
In-Reply-To: <CAH5fLghL=G-ihevf1_D0aGffmJMtxtSpMDoTGtrmdiDfhwpKnw@mail.gmail.com> (Alice Ryhl's message of "Fri, 12 Apr 2024 15:51:12 +0200")
Alice Ryhl <aliceryhl@google.com> writes:
> On Fri, Apr 12, 2024 at 3:18 PM Boqun Feng <boqun.feng@gmail.com> wrote:
>>
>> On Fri, Apr 12, 2024 at 10:36:05AM +0200, Alice Ryhl wrote:
>> > On Fri, Apr 12, 2024 at 1:08 AM Boqun Feng <boqun.feng@gmail.com> wrote:
>> > >
>> > > Currently since Rust code is compiled with "-Coverflow-checks=y", so a
>> > > normal substraction may be compiled as an overflow checking and panic
>> > > if overflow happens:
>> > >
>> > > subq %rsi, %rdi
>> > > jo .LBB0_2
>> > > movq %rdi, %rax
>> > > retq
>> > > .LBB0_2:
>> > > pushq %rax
>> > > leaq str.0(%rip), %rdi
>> > > leaq .L__unnamed_1(%rip), %rdx
>> > > movl $33, %esi
>> > > callq *core::panicking::panic::h59297120e85ea178@GOTPCREL(%rip)
>> > >
>> > > although overflow detection is nice to have, however this makes
>> > > `Ktime::sub()` behave differently than `ktime_sub()`, moreover it's not
>> > > clear that the overflow checking is helpful, since for example, the
>> > > current binder usage[1] doesn't have the checking.
>> >
>> > I don't think this is a good idea at all. Any code that triggers an
>> > overflow in Ktime::sub is wrong, and anyone who enables
>> > CONFIG_RUST_OVERFLOW_CHECKS does so because they want such bugs to be
>> > caught. You may have been able to find one example of a subtraction
>> > that doesn't have a risk of overflow, but overflow bugs really do
>>
>> The point is you won't panic the kernel because of an overflow. I
>> agree that overflow is something we want to catch, but currently
>> ktime_t doesn't panic if overflow happens.
>
> What the CONFIG_RUST_OVERFLOW_CHECKS option does is enable panics on
> overflow. So I don't understand how "it panics on overflow" is an
> argument for removing the overflow check. That's what you asked for!
> One could perhaps argue about whether CONFIG_RUST_OVERFLOW_CHECKS is a
> good idea (I think it is), but that is orthogonal. When
> CONFIG_RUST_OVERFLOW_CHECKS is enabled, you should respect the flag.
I would agree. If users do not want panics on overflow, they disable
RUST_OVERFLOW_CHECKS. If the config is enabled, overflows in ktime sub
should panic, even if it does not do so in equivalent C code.
BR Andreas
next prev parent reply other threads:[~2024-04-25 9:00 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-11 23:07 [PATCH 0/2] rust: time related cleanup Boqun Feng
2024-04-11 23:08 ` [PATCH 1/2] rust: time: doc: Add missing C header links Boqun Feng
2024-04-12 7:15 ` Miguel Ojeda
2024-04-12 11:04 ` Alice Ryhl
2024-04-30 22:10 ` [tip: timers/core] " tip-bot2 for Boqun Feng
2024-04-11 23:08 ` [PATCH 2/2] rust: time: Use wrapping_sub() for Ktime::sub() Boqun Feng
2024-04-12 7:14 ` Miguel Ojeda
2024-04-12 7:43 ` Philipp Stanner
2024-04-12 7:58 ` Miguel Ojeda
2024-04-15 17:08 ` Kees Cook
2024-04-12 13:34 ` Boqun Feng
2024-04-12 14:41 ` Miguel Ojeda
2024-04-13 1:30 ` Boqun Feng
2024-04-13 2:16 ` Miguel Ojeda
2024-04-12 8:36 ` Alice Ryhl
2024-04-12 13:18 ` Boqun Feng
2024-04-12 13:51 ` Alice Ryhl
2024-04-25 9:00 ` Andreas Hindborg [this message]
2024-04-25 14:28 ` Boqun Feng
2024-04-23 21:11 ` Boqun Feng
2024-04-23 23:37 ` Kees Cook
2024-04-24 10:21 ` Miguel Ojeda
2024-05-09 12:14 ` Thomas Gleixner
2024-05-13 14:06 ` Boqun Feng
2024-05-13 15:04 ` Miguel Ojeda
2024-05-14 13:12 ` Boqun Feng
2024-05-14 14:21 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877cgln7f4.fsf@metaspace.dk \
--to=nmi@metaspace.dk \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sboyd@kernel.org \
--cc=tglx@linutronix.de \
--cc=wedsonaf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.