Re: [RFC PATCH] libcrypto/chachapoly: Use strict typing for fixed size array arguments

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Thompson <danielt@kernel.org>
To: Alejandro Colomar <alx@kernel.org>
Cc: jason@zx2c4.com, ardb+git@google.com, ardb@kernel.org,
	arnd@arndb.de, ebiggers@kernel.org, kees@kernel.org,
	linux-crypto@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [RFC PATCH] libcrypto/chachapoly: Use strict typing for fixed size array arguments
Date: Wed, 3 Dec 2025 17:24:06 +0000	[thread overview]
Message-ID: <aTByNvAYRhZI07cJ@aspen.lan> (raw)
In-Reply-To: <sjyh6hnw54pwzwyzegoaq3lu7g7hnvneq3bkc5cvno7chnfkv5@lz4dwbsv3zsf>

On Tue, Dec 02, 2025 at 02:12:47AM +0100, Alejandro Colomar wrote:
> Hi,
>
> Jason said:
> > On Sat, Nov 15, 2025 at 09:11:31AM -0800, Linus Torvalds wrote:
> > > So *if* we end up using this syntax more widely, I suspect we'd want
> > > to have a macro that makes the semantics more obvious, even if it's
> > > something silly and trivial like
> > >
> > >    #define min_array_size(n) static n
> > >
> > > just so that people who aren't familiar with that crazy syntax
> > > understand what it means.
> >
> > Oh that's a good suggestion. I'll see if I can rig that up and send
> > something.
>
> Be careful about [static n].  It has implications that you're probably
> not aware of.  Also, it doesn't have some implications you might expect
> from it.
>
> -  [static n] on an argument implies __attribute__((nonnull())) on that
>    argument; it means that the argument can't be null.  You may want to
>    make sure you're using -fno-delete-null-pointer-checks if you use
>    [static n].
>
> -  [static n] implies that n>0.  You should make sure that n>0, or UB
>    would be triggered.
>
> -  [n] means two promises traditionally:
>    -  The caller will provide at least n elements.
>    -  The callee will use no more than n elements.
>    However, [static n] only carries the first promise.  According to
>    ISO C, the callee may access elements beyond that.

This description implies that [n] carries promises that [static n] does
not. However you are comparing the "traditional" behaviour (that is
well beyond the scope of the standard) on one side with ISO C behaviour
on the other.

It makes sense to compare ISO C behavior for [n] (where neither of the
above promises applies) with ISO C behaviour for [static n]...


>    GCC, as a quality implementation, enforces the second promise too,
>    but this is not portable; you should make sure that all supported
>    compilers enforces that as an extension.

... and equally it makes sense to compare the gcc/clang warnings for
[n] versus [static n] as recommended here.

However it should not be motivated by [static n] carrying few promises
than [n], especially given gcc/clang's enforcement of the promises is
a best effort static check that won't cover all cases anyway.


Daniel.

next prev parent reply	other threads:[~2025-12-03 17:24 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-14 18:07 [RFC PATCH] libcrypto/chachapoly: Use strict typing for fixed size array arguments Ard Biesheuvel
2025-11-14 20:23 ` Jason A. Donenfeld
2025-11-14 20:33   ` Ard Biesheuvel
2025-11-15  2:14     ` Eric Biggers
2025-11-15 17:11       ` Linus Torvalds
2025-11-15 17:32         ` Linus Torvalds
2025-11-15 17:39         ` Jason A. Donenfeld
2025-12-02  1:12           ` Alejandro Colomar
2025-12-02  1:57             ` Eric Biggers
2025-12-02 10:14               ` Alejandro Colomar
2025-12-02 13:42                 ` Alejandro Colomar
2025-12-02 16:49                   ` Eric Biggers
2025-12-02 21:27                     ` Alejandro Colomar
2025-12-03 17:24             ` Daniel Thompson [this message]
2025-12-03 18:01               ` Alejandro Colomar
2025-12-05 13:59                 ` Daniel Thompson
2025-12-13 20:04                   ` Alejandro Colomar
2025-11-16 13:57 ` kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aTByNvAYRhZI07cJ@aspen.lan \
    --to=danielt@kernel.org \
    --cc=alx@kernel.org \
    --cc=ardb+git@google.com \
    --cc=ardb@kernel.org \
    --cc=arnd@arndb.de \
    --cc=ebiggers@kernel.org \
    --cc=jason@zx2c4.com \
    --cc=kees@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.