Re: [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap

public inbox for linux-doc@vger.kernel.org
 help / color / mirror / Atom feed

From: Peter Zijlstra <peterz@infradead.org>
To: Vincent Mailhol <mailhol@kernel.org>
Cc: Kees Cook <kees@kernel.org>,
	Justin Stitt <justinstitt@google.com>,
	Marco Elver <elver@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <skhan@linuxfoundation.org>,
	Miguel Ojeda <ojeda@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	kasan-dev@googlegroups.com, linux-doc@vger.kernel.org,
	llvm@lists.linux.dev,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Nicolas Schier <nsc@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
	linux-kbuild@vger.kernel.org
Subject: Re: [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap
Date: Wed, 1 Apr 2026 11:20:27 +0200	[thread overview]
Message-ID: <20260401092027.GW3738786@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <bd0a4235-a7f0-4624-802c-aa49a9d13f29@kernel.org>

On Wed, Apr 01, 2026 at 09:19:51AM +0200, Vincent Mailhol wrote:
> Le 31/03/2026 à 18:37, Kees Cook a écrit :

> > +  - Saturate (explicitly hold the maximum or minimum representable value)
> 
> I just wanted to ask how much consideration was put into this last
> "saturate" option.
> 
> When speaking of "safe" as in "functional safety" this seems a good
> option to me. The best option is of course proper handling, but as
> discussed, we are speaking of the scenario in which the code is already
> buggy and which is the fallout option doing the least damage.
> 
> What I have in mind is a new __ob_saturate type qualifier. Something like:
> 
> 	void foo(int num)
> 	{
> 		int __ob_saturate saturate_var = num;
> 	
> 		saturate_var += 42;
> 	}
> 
> would just print a warning and continue execution, thus solving the
> trapping issue. The above code would generate something equivalent to that:
> 
> 	void foo(int num)
> 	{
> 		int __ob_saturate saturate_var = num;
> 	
> 		if (check_add_overflow(saturate_var, increment,
> 				       &saturate_var) {
> 			WARN(true, "saturation occurred");
> 			saturate_var = type_max(saturate_var);
> 	}

So I would like to second this option as being interesting.

But while pondering it, I did want to note that all of the options, with
the exception of __ob_wrap (which is effectively what we have today for
*everything*), will be 'interesting' to compose with _Atomic, another
one of these qualifiers.

Now, in the kernel we don't use _Atomic, so strictly speaking I don't
care ;-) But here goes...

Something like _Atomic int __ob_wrap, is trivial and good.

_Atomic int __ob_trap is either doable or impossible depending on how
you define the result to be on 'trap'. Specifically, the semantics
proposed where it keeps the old value makes it impossible.

And _Atomic int __ob_saturate is equally 'challenging', since the
fundamental thing of 'reset to min/max on under/over-flow' is rather
a non-atomic kind of thing. Look at the trouble we went through with
refcount_t to sort of make this work.

next prev parent reply	other threads:[~2026-04-01  9:20 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-31 16:37 [PATCH 0/5] Introduce Overflow Behavior Types Kees Cook
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01   ` Miguel Ojeda
2026-03-31 17:09     ` Miguel Ojeda
2026-03-31 17:09     ` Justin Stitt
2026-03-31 17:14       ` Miguel Ojeda
2026-03-31 17:17         ` Justin Stitt
2026-03-31 19:52       ` Kees Cook
2026-04-01  9:08         ` Peter Zijlstra
2026-04-01 20:21           ` Kees Cook
2026-04-01 20:30             ` Peter Zijlstra
2026-04-01 20:55               ` Kees Cook
2026-04-01 23:42               ` Justin Stitt
2026-04-02  9:13             ` David Laight
2026-03-31 17:16   ` Linus Torvalds
2026-03-31 17:18     ` Linus Torvalds
2026-04-01  7:19   ` Vincent Mailhol
2026-04-01  9:20     ` Peter Zijlstra [this message]
2026-04-01 19:43       ` Kees Cook
2026-04-01 19:42     ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16   ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10   ` Linus Torvalds
2026-03-31 17:47     ` Miguel Ojeda
2026-03-31 18:02       ` Linus Torvalds
2026-03-31 18:25         ` Linus Torvalds
2026-03-31 18:59           ` Kees Cook
2026-03-31 20:01             ` Linus Torvalds
2026-03-31 18:32         ` Kees Cook
2026-03-31 18:36           ` Linus Torvalds
2026-03-31 18:16       ` Kees Cook
2026-03-31 20:03     ` Kees Cook
2026-03-31 20:11       ` Linus Torvalds
2026-03-31 20:18         ` Linus Torvalds
2026-03-31 20:31         ` Kees Cook
2026-03-31 20:58           ` Linus Torvalds
2026-03-31 21:50             ` Justin Stitt
2026-03-31 23:49               ` Kees Cook
2026-03-31 23:50               ` Linus Torvalds
2026-04-01  8:31           ` Peter Zijlstra
2026-04-01 20:52             ` Kees Cook
2026-04-02  5:38               ` Peter Zijlstra
2026-04-01  8:57           ` Peter Zijlstra
2026-04-01 20:23             ` Kees Cook
2026-04-01  9:38           ` Peter Zijlstra
2026-04-01 21:41             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260401092027.GW3738786@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=arnd@arndb.de \
    --cc=corbet@lwn.net \
    --cc=elver@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=justinstitt@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=kees@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=mailhol@kernel.org \
    --cc=nathan@kernel.org \
    --cc=nsc@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=ryabinin.a.a@gmail.com \
    --cc=skhan@linuxfoundation.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox