From: Roland Dreier <rdreier@cisco.com>
To: Jeff Garzik <jeff@garzik.org>
Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org,
linux-kernel@vger.kernel.org, linux-ide@vger.kernel.org,
chas@cmf.nrl.navy.mil, rolandd@cisco.com, dwmw2@infradead.org,
gregkh@suse.de
Subject: Re: [git patches 1/2] warnings: attack valid cases spotted by warnings
Date: Tue, 17 Jul 2007 19:35:05 -0700 [thread overview]
Message-ID: <adamyxuo2w6.fsf@cisco.com> (raw)
In-Reply-To: <469D3E66.3010502@garzik.org> (Jeff Garzik's message of "Tue, 17 Jul 2007 18:10:46 -0400")
> I don't buy that performance argument, in this case. You are already
> dirtying the same cacheline with other variable initializations.
>
> Like I noted in the changeset description (hey, this is precisely why
> I included it, so that we could have this discussion), IMO the flow of
> control makes it not only impossible for the compiler to understand
> the full value range of 'f0', but also difficult for humans as well.
>
> I could perhaps understand initializing the variable to some poison
> value rather than zero, but IMO the code is stronger with f0 set to a
> sane value.
The more I think about it, the less sense initializing f0 to 0 makes.
The whole problem with an uninitialized variable is that a random
value from the stack might be used. So setting a variable to
something meaningless (guaranteeing that a garbage value is used in
case of a bug) just to shut up a warning makes no sense -- it's no
safer than leaving the code as is. uninitialized_var() gets rid of
the warning, saves a little text and instruction cache, and documents
things better.
(BTW, I agree the code is a little confusing as written. I think
things could be cleaned up and made more efficient by getting rid of
the initialization of size0 too -- I'll look at doing that)
Anyway, I queued this up for my next merge with Linus:
commit 6d7d080e9f7cd535a8821efd3835c5cfa5223ab6
Author: Roland Dreier <rolandd@cisco.com>
Date: Tue Jul 17 19:30:51 2007 -0700
IB/mthca: Use uninitialized_var() for f0
Commit 9db48926 ("drivers/infiniband/hw/mthca/mthca_qp: kill uninit'd
var warning") added "= 0" to the declarations of f0 to shut up gcc
warnings. However, there's no point in making the code bigger by
initializing f0 to a random value just to get rid of a warning;
setting f0 to 0 is no safer than just using uninitialized_var(), which
documents the situation better and gives smaller code too. For example,
on x86_64:
add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-16 (-16)
function old new delta
mthca_tavor_post_send 1352 1344 -8
mthca_arbel_post_send 1489 1481 -8
Signed-off-by: Roland Dreier <rolandd@cisco.com>
diff --git a/drivers/infiniband/hw/mthca/mthca_qp.c b/drivers/infiniband/hw/mthca/mthca_qp.c
index 11f1d99..0e9ef24 100644
--- a/drivers/infiniband/hw/mthca/mthca_qp.c
+++ b/drivers/infiniband/hw/mthca/mthca_qp.c
@@ -1591,7 +1591,13 @@ int mthca_tavor_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
int i;
int size;
int size0 = 0;
- u32 f0 = 0;
+ /*
+ * f0 is only used if nreq != 0, and f0 will be initialized
+ * the first time through the main loop, since size0 == 0 the
+ * first time through. So nreq cannot become non-zero without
+ * initializing f0, and f0 is in fact never used uninitialized.
+ */
+ u32 uninitialized_var(f0);
int ind;
u8 op0 = 0;
@@ -1946,7 +1952,13 @@ int mthca_arbel_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
int i;
int size;
int size0 = 0;
- u32 f0 = 0;
+ /*
+ * f0 is only used if nreq != 0, and f0 will be initialized
+ * the first time through the main loop, since size0 == 0 the
+ * first time through. So nreq cannot become non-zero without
+ * initializing f0, and f0 is in fact never used uninitialized.
+ */
+ u32 uninitialized_var(f0);
int ind;
u8 op0 = 0;
next prev parent reply other threads:[~2007-07-18 2:35 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-17 21:42 [git patches 1/2] warnings: attack valid cases spotted by warnings Jeff Garzik
2007-07-17 21:49 ` [git patches 2/2] warnings: use uninitialized_var() Jeff Garzik
2007-07-18 11:30 ` Adrian Bunk
2007-07-17 21:53 ` [git patches 1/2] warnings: attack valid cases spotted by warnings Roland Dreier
2007-07-17 22:10 ` Jeff Garzik
2007-07-17 22:17 ` Jeff Garzik
2007-07-18 2:35 ` Roland Dreier [this message]
2007-07-18 2:46 ` Roland Dreier
2007-07-18 4:00 ` Linus Torvalds
2007-07-18 4:18 ` Roland Dreier
2007-07-18 5:12 ` Linus Torvalds
2007-07-18 17:37 ` Roland Dreier
2007-07-18 18:02 ` Linus Torvalds
2007-07-18 2:56 ` Linus Torvalds
2007-07-18 3:09 ` Roland Dreier
2007-07-18 3:29 ` Jeff Garzik
2007-07-17 22:19 ` Andrew Morton
2007-07-17 22:25 ` Linus Torvalds
2007-07-18 2:46 ` Greg KH
2007-07-18 20:03 ` Jeff Garzik
2007-07-18 22:07 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adamyxuo2w6.fsf@cisco.com \
--to=rdreier@cisco.com \
--cc=akpm@linux-foundation.org \
--cc=chas@cmf.nrl.navy.mil \
--cc=dwmw2@infradead.org \
--cc=gregkh@suse.de \
--cc=jeff@garzik.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rolandd@cisco.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).