From: David Laight <David.Laight@ACULAB.COM>
To: 'Martin Uecker' <muecker@gwdg.de>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>,
Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
Nathan Chancellor <nathan@kernel.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Yury Norov <yury.norov@gmail.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Tvrtko Ursulin <tursulin@ursulin.net>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Mike Leach <mike.leach@linaro.org>,
James Clark <james.clark@linaro.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Rikard Falkeborn <rikard.falkeborn@gmail.com>,
"linux-sparse@vger.kernel.org" <linux-sparse@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"llvm@lists.linux.dev" <llvm@lists.linux.dev>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"coresight@lists.linaro.org" <coresight@lists.linaro.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: RE: [PATCH 02/10] compiler.h: add is_const() as a replacement of __is_constexpr()
Date: Sun, 8 Dec 2024 16:48:58 +0000 [thread overview]
Message-ID: <e71fffb7ff0e4bf29692d006c0fe77c2@AcuMS.aculab.com> (raw)
In-Reply-To: <6658618490381cf5ec35edbb66f1478024174e67.camel@gwdg.de>
From: Martin Uecker
> Sent: 08 December 2024 12:38
>
> Am Sonntag, dem 08.12.2024 um 11:26 +0000 schrieb David Laight:
> > From: Martin Uecker
> > > Sent: 07 December 2024 23:52
> > ...
> > > While the compiler can not automatically prove every use
> > > of VLA bounded, it can reliably diagnose the cases where it
> > > can *not* see that it is bounded. Consider this example:
> > >
> > > void oob(int n, char p[n]);
> > > void f(unsigned int n)
> > > {
> > > char buf[MIN(n, 100)]; // bounded
> > > oob(n + 10, buf); // warning
> > > }
> > ...
> >
> > The kernel stack has to have enough space for the [100]
> > so the full amount might as well always be allocated.
> > The chance of 'trading off' stack usage with another function
> > in the same call stack that is guaranteed to use less than
> > its maximum is about zero.
>
> In numerical computing this is a big motivation because
> you can reduce stack usage in recursive divide-and-conquer
> algorithms. For the kernel, I agree this is not a
> compelling use case, and the better motivation would be
> precise bounds checking and clearer semantics for buffer
> management.
Except that changing the size of the on-stack array makes
absolutely no difference.
Ideally the kernel stack would be a single 4k page, but too
much code uses on-stack buffers so it has been increased and
might be 16k (or more!).
Remember this is physical memory allocated to every user thread.
On Linux it is not swappable.
...
> > This happened for 'constant' sizes from min(16, sizeof (struct))
> > because min() needs to be a statement function to avoid re-evaluating
> > its arguments.
>
> Can you clarify this? If the VLA size is constant, even when
> it is not an integer constant expression according to ISO C,
> the compiler should not produce worse code. For example,
I just tried to reproduce the failing case - and failed.
It was similar to __builtin_constant_p() initially returning 'don't know'
so the 'variable sized' array code got added, then much later
after further optimisation passes the expression became constant.
So you ended up with a 'fixed size' VLA.
Compile with -Wno-vla (and -Werror) and the compile failed.
...
> So a lot of this macro business seems to be necessary
> to avoid creating warnings for ISO VLAs when instead you really
> care about the created code not having a dynamic allocation on
> the stack.
A lot of the 'macro business' for min/max is avoiding unexpected
conversion of negative values to very large unsigned ones.
And no, -Wsign-compare is spectacularly useless.
..
> The issue here is that we miss a language feature in C to
> introduce local variables that help avoid multiple expansion
> of macro arguments. GCC's statement expressions and __auto_type
> are a solution
or historically 'typeof(x) _x = x'
> #define foo(x) ({ __auto_type __x = (x); ... })
>
> but this runs into the current limitations that ({ }) can not be used
> at file-scope and can not return constant expressions.
>
>
> For other reasons I was thinking about adding names to _Generic,
> as in
>
> _Generic(x, int i: (i + 1));
>
> because one design issues with _Generic is that it typechecks
> also the untaken associations and there the 'x' then has the wrong
> type. Having an 'i' with the right type which is set to the value
> of 'x' when the branch is taken would fix this issue.
That looks even more syntactically obscure than _Generic itself.
Why does it need to do more than very simple syntax analysis of
the unwanted branches - or they could automatically be analysed
with the named variable have the specified type?
> But this feature might also allow writing macros that avoid
> double expansion without requiring statement expressions (which
> are more difficult to fix):
>
> #define foo(x) _Generic(x, int i: (i + i));
How can that work for things like min() that have multiple arguments?
Not going to work if you need __auto_type either.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2024-12-08 16:49 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-02 17:33 [PATCH 00/10] compiler.h: refactor __is_constexpr() into is_const{,_true,_false}() Vincent Mailhol via B4 Relay
2024-12-02 17:33 ` [PATCH 01/10] compiler.h: add statically_false() Vincent Mailhol via B4 Relay
2024-12-04 18:30 ` David Laight
2024-12-05 15:25 ` Vincent Mailhol
2024-12-06 3:39 ` David Laight
2024-12-06 4:42 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 02/10] compiler.h: add is_const() as a replacement of __is_constexpr() Vincent Mailhol via B4 Relay
2024-12-04 18:39 ` David Laight
2024-12-04 21:20 ` Yury Norov
2024-12-05 15:31 ` Vincent Mailhol
2024-12-06 2:25 ` David Laight
2024-12-06 6:14 ` Linus Torvalds
2024-12-06 7:19 ` Vincent Mailhol
2024-12-06 8:49 ` Vincent Mailhol
2024-12-06 8:29 ` Martin Uecker
2024-12-06 18:30 ` Vincent Mailhol
2024-12-06 18:52 ` Linus Torvalds
2024-12-06 19:02 ` Linus Torvalds
2024-12-06 19:06 ` David Laight
2024-12-06 19:15 ` Linus Torvalds
2024-12-06 19:38 ` Willy Tarreau
2024-12-06 19:43 ` David Laight
2024-12-06 19:38 ` David Laight
2024-12-06 20:23 ` David Laight
2024-12-07 7:42 ` Vincent Mailhol
2024-12-07 11:19 ` David Laight
2024-12-07 12:24 ` Vincent Mailhol
2024-12-07 18:19 ` Linus Torvalds
2024-12-07 19:51 ` Martin Uecker
2024-12-07 20:31 ` Linus Torvalds
2024-12-07 20:54 ` David Laight
2024-12-07 21:00 ` David Laight
2024-12-07 21:06 ` Martin Uecker
2024-12-07 21:45 ` David Laight
2024-12-09 9:59 ` Rasmus Villemoes
2024-12-06 6:40 ` Martin Uecker
2024-12-06 7:26 ` Vincent Mailhol
2024-12-07 8:39 ` Martin Uecker
2024-12-07 10:33 ` David Laight
2024-12-07 13:07 ` Martin Uecker
2024-12-07 18:26 ` Linus Torvalds
2024-12-07 19:19 ` Martin Uecker
2024-12-07 20:28 ` Linus Torvalds
2024-12-07 23:52 ` Martin Uecker
2024-12-08 1:58 ` Linus Torvalds
2024-12-08 9:18 ` Martin Uecker
2024-12-08 11:26 ` David Laight
2024-12-08 12:38 ` Martin Uecker
2024-12-08 16:48 ` David Laight [this message]
2024-12-08 18:10 ` Martin Uecker
2024-12-08 19:05 ` Linus Torvalds
2024-12-07 12:45 ` Vincent Mailhol
2024-12-07 13:18 ` Martin Uecker
2024-12-07 13:50 ` Vincent Mailhol
2024-12-07 14:59 ` Martin Uecker
2024-12-07 15:10 ` Martin Uecker
2024-12-07 15:23 ` Vincent Mailhol
2024-12-07 18:07 ` David Laight
2024-12-06 9:34 ` David Laight
2024-12-02 17:33 ` [PATCH 03/10] compiler.h: add is_const_true() and is_const_false() Vincent Mailhol via B4 Relay
2024-12-04 18:48 ` David Laight
2024-12-05 15:48 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 04/10] linux/bits.h: simplify GENMASK_INPUT_CHECK() by using is_const_true() Vincent Mailhol via B4 Relay
2024-12-04 18:52 ` David Laight
2024-12-05 15:49 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 05/10] minmax: simplify __clamp_once() by using is_const_false() Vincent Mailhol via B4 Relay
2024-12-04 18:54 ` David Laight
2024-12-05 15:52 ` Vincent Mailhol
2024-12-09 12:32 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 06/10] fortify: replace __is_constexpr() by is_const() in strlen() Vincent Mailhol via B4 Relay
2024-12-04 18:58 ` David Laight
2024-12-05 15:53 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 07/10] overflow: replace __is_constexpr() by is_const() Vincent Mailhol via B4 Relay
2024-12-02 17:33 ` [PATCH 08/10] drm/i915/reg: replace __is_const_expr() by is_const_true() or is_const() Vincent Mailhol via B4 Relay
2024-12-04 19:00 ` David Laight
2024-12-05 15:56 ` Vincent Mailhol
2024-12-02 17:33 ` [PATCH 09/10] coresight: etm4x: replace __is_const_expr() by is_const() Vincent Mailhol via B4 Relay
2024-12-02 17:33 ` [PATCH 10/10] compiler.h: remove __is_constexpr() Vincent Mailhol via B4 Relay
2024-12-04 23:58 ` [PATCH 00/10] compiler.h: refactor __is_constexpr() into is_const{,_true,_false}() Kees Cook
2024-12-05 15:21 ` Vincent Mailhol
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e71fffb7ff0e4bf29692d006c0fe77c2@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=airlied@gmail.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=coresight@lists.linaro.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavoars@kernel.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=james.clark@linaro.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=justinstitt@google.com \
--cc=kees@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sparse@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=llvm@lists.linux.dev \
--cc=luc.vanoostenryck@gmail.com \
--cc=mailhol.vincent@wanadoo.fr \
--cc=mike.leach@linaro.org \
--cc=morbo@google.com \
--cc=muecker@gwdg.de \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=rikard.falkeborn@gmail.com \
--cc=rodrigo.vivi@intel.com \
--cc=simona@ffwll.ch \
--cc=suzuki.poulose@arm.com \
--cc=torvalds@linux-foundation.org \
--cc=tursulin@ursulin.net \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).