From: Steven Singer <steven.singer@csr.com>
To: bluez-devel@lists.sourceforge.net
Subject: Re: [Bluez-devel] hcid patch (patch 00.13)
Date: Tue, 11 Oct 2005 13:17:05 +0100 [thread overview]
Message-ID: <434BAD41.5020503@csr.com> (raw)
In-Reply-To: <1129025702.7352.17.camel@blade>
Marcel Holtmann wrote:
> Johan Hedberg wrote:
>> Yeah, I suspected that could cause problems since
>> sizeof(int) != sizeof(void *) on those machines. I don't think those
>> compiler warnings are dangerous though, since they are probably meant to
>> warn about possible loss of data which shouldn't happen to us since our
>> values always fit within 2 bytes.
Compiler warning are always dangerous.
At the very least, they can obscure the warnings you care about.
>> I don't have a 64bit machine so I
>> can't verify this fix, but I think that sizeof(long) should be the same
>> as sizeof(void *) on both 32 and 64 bit machines. If that isn't the
>> case, the last resort could be to make some automake makro to check the
>> actual size of pointer types and add #defines to the code acordingly.
If you, really, really, really want to stuff integers into pointers then
you should be using the type uintptr_t defined in <inttypes.h>, but even
this isn't safe.
uintptr_t is guaranteed only to be an integer type large enough to hold
all object pointer types (this excludes function pointers). However,
it's not guaranteed that a void * can hold all uintptr_t values or even
that it will hold any consecutive subset. That is, your assertion that
you're safe because all your values fit in 2 bytes is not strictly true
(although it may be true on many architectures).
There's another problem in that even referring to a pointer value that
points to freed memory leads you into undefined behaviour even if you
don't dereference the pointer. This means that code like this:
free(p);
if (q != p)
free(q);
isn't safe. See:
http://mail-index.netbsd.org/current-users/2005/07/30/0005.html
This makes it safe for a compiler author targetting an architecture
with separate address and data registers to load pointer values into
an address register even if the act of loading an invalid pointer into
a register causes an address exception without the address being
dereferenced.
(If you think about it, this would be quite handy for authors of
debug tools like electric fence - they could generate an exception
as soon as you though about using an invalid pointer rather than
several days later when you finally get round to dereferencing it).
So, if one of the integers you've cast into a void * happens to
match memory that's been freed then you're in trouble.
Basically, this:
void *p;
uintptr_t tmp; /* or any suitable integer type such as long */
/* ... */
tmp = (uintptr_t) p;
/* ... */
p = (void *) tmp;
is safe, but:
void *tmp;
uintptr_t *i; /* or any suitable integer type such as long */
/* ... */
tmp = (void *) i;
/* ... */
i = (uintptr_t) tmp;
Takes you into a world of undefined behaviour.
>> Anyway, the attached patch uses long for the pointer<->integer
>> typecasts. Let me know if it doesn't work.
>
> I applied your patch and the compiler on my 64-bit machine is much
> happier now, but I think that we need to allocate a structure and pass
> the pointer to it around instead of some casting tricks. Would you mind
> fixing it?
This is the right solution.
Speaking from experience, saying "I only need to store an integer so I
can save myself a malloc and, instead, cast it to a pointer" is a false
economy. Next week you'll suddenly find the implementation gets easier
if you can store two integers, then the week after, an integer and a
char * and so on.
On a resource constrained embedded system where the cost of the extra
allocation may be excessive, the only solution is to redesign the
library from the ground up replacing the void * with a union of a
void * and a long.
- Steven
--
This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel
next prev parent reply other threads:[~2005-10-11 12:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-06 14:31 [Bluez-devel] hcid patch (patch 00.13) Claudio Takahasi
2005-10-08 15:09 ` Marcel Holtmann
2005-10-08 23:05 ` Claudio Takahasi
2005-10-09 22:20 ` Marcel Holtmann
2005-10-10 19:58 ` Johan Hedberg
2005-10-10 20:49 ` Marcel Holtmann
2005-10-11 10:00 ` Johan Hedberg
2005-10-11 10:15 ` Marcel Holtmann
2005-10-11 10:42 ` Johan Hedberg
2005-10-11 11:52 ` Marcel Holtmann
2005-10-11 12:17 ` Steven Singer [this message]
2005-10-11 14:49 ` Johan Hedberg
2005-10-11 17:10 ` [Bluez-devel] Bluetooth 2.0 dongle Mitja Pufic
2005-10-11 17:43 ` Marcel Holtmann
2005-10-12 12:37 ` Mitja Pufic
2005-10-11 17:46 ` [Bluez-devel] hcid patch (patch 00.13) Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=434BAD41.5020503@csr.com \
--to=steven.singer@csr.com \
--cc=bluez-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).