From: David Laight <david.laight.linux@gmail.com>
To: Vincent Mailhol <mailhol@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Arnd Bergmann <arnd@arndb.de>,
linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org,
Yury Norov <yury.norov@gmail.com>,
Lucas De Marchi <lucas.demarchi@intel.com>,
Jani Nikula <jani.nikula@intel.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH next 11/14] bit: Strengthen compile-time tests in GENMASK() and BIT()
Date: Wed, 21 Jan 2026 19:14:48 +0000 [thread overview]
Message-ID: <20260121191448.1dc59684@pumpkin> (raw)
In-Reply-To: <1ed83fd2-575b-4b22-9a01-b3a2110af78f@kernel.org>
On Wed, 21 Jan 2026 19:43:07 +0100
Vincent Mailhol <mailhol@kernel.org> wrote:
> On 21/01/2026 at 15:57, david.laight.linux@gmail.com wrote:
> > From: David Laight <david.laight.linux@gmail.com>
> >
> > The current checks in GENMASK/BIT (eg reversed high/low) only work
> > for 'integer constant expressions' not 'compile-time constants'.
> > This is true for const_true() and -Wshift-count-overflow/negative.
> > While compile-time constants may be unusual, they can happen through
> > function inlining.
>
> Did those new checks actually found any real problem in the code? This
> adds a lot of complexity so I am not sure whether this is a winning
> trade-off.
Not in an x86-64 allmodconfig build.
They might in a 32bit one where there have definitely been issues.
>
> > This isn't too bad with gcc, but if clang detects a negative/over-large
> > shift it treats it as 'undefined behaviour' and silently discards all
> > code that would use the result, so:
> > int f(u32 x) {int n = 32; return x >> n; }
> > generates a function that just contains a 'return' instruction.
> > If 'n' was a variable that happened to be 32, most modern cpu mask
> > the count - so would return 'x', some might return 0.
>
> But then, you only solve that shift problem for GENMASK() and
> BIT(). Any other usage of the left/right shifts are not diagnosed
> unless your check get copy pasted all over the place.
>
> I think that such a check belongs to a static analyzer. Speaking of
> which:
>
> $ cat test.c
> typedef unsigned int u32;
> static int f(u32 x) {int n = 32; return x >> n; }
>
> $ sparse test.c
> test.c:2:46: warning: shift too big (32) for type unsigned int$ cat test.c
>
> So here, I would rather keep relying on sparse rather that introducing
> the W=c logic and all that macro complexity.
I suspect the compiler test will find more than sparse.
I liked getting that to work, but maybe it is OTT.
But the W=c is more generally useful.
As well as removing all the compile-time tests from GENMASK() and
(in another patch FIELD_PREP()) which really do bloat the .i file,
I'd like to add some new tests to min/max/clamp to try to get rid
of the more dodgy (and likely buggy) cases without breaking
everyone's build - just failing the W=1 builds is better.
Using a separate flag means you can use W=ce to stop the build,
doing a W=1e build is hopeless.
David
>
>
> Yours sincerely,
> Vincent Mailhol
next prev parent reply other threads:[~2026-01-21 19:14 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 14:57 [PATCH next 00/14] bits: De-bloat expansion of GENMASK() david.laight.linux
2026-01-21 14:57 ` [PATCH next 01/14] overflow: Reduce expansion of __type_max() david.laight.linux
2026-01-21 20:59 ` Kees Cook
2026-02-02 16:45 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 02/14] kbuild: Add W=c for additional compile time checks david.laight.linux
2026-02-02 18:33 ` Yury Norov
2026-02-02 20:07 ` David Laight
2026-02-03 4:47 ` Nathan Chancellor
2026-02-03 11:14 ` David Laight
2026-02-03 19:41 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 03/14] media: videobuf2-core: Use static_assert() for sanity check david.laight.linux
2026-01-21 14:57 ` [PATCH next 04/14] media: atomisp: " david.laight.linux
2026-01-21 14:57 ` [PATCH next 05/14] ixgbevf: Use C test for PAGE_SIZE > IXGBE_MAX_DATA_PER_TXD david.laight.linux
2026-01-23 15:44 ` Simon Horman
2026-01-21 14:57 ` [PATCH next 06/14] asm-generic: include linux/bits.h not vdso/bits.h david.laight.linux
2026-01-21 14:57 ` [PATCH next 07/14] x86/tlb: " david.laight.linux
2026-01-21 14:57 ` [PATCH next 08/14] bits: simplify GENMASK_TYPE() david.laight.linux
2026-02-08 2:36 ` Yury Norov
2026-02-09 9:42 ` David Laight
2026-01-21 14:57 ` [PATCH next 09/14] bits: Change BIT_U8/16() and GENMASK_U8/16() to have unsigned values david.laight.linux
2026-01-21 14:57 ` [PATCH next 10/14] bits: Fix assmebler expansions of GENMASK_Uxx() and BIT_Uxx() david.laight.linux
2026-02-08 3:31 ` Yury Norov
2026-02-08 11:42 ` David Laight
2026-02-08 21:20 ` Yury Norov
2026-02-08 22:27 ` David Laight
2026-01-21 14:57 ` [PATCH next 11/14] bit: Strengthen compile-time tests in GENMASK() and BIT() david.laight.linux
2026-01-21 18:43 ` Vincent Mailhol
2026-01-21 19:14 ` David Laight [this message]
2026-01-22 1:11 ` kernel test robot
2026-01-22 10:25 ` David Laight
2026-01-22 20:10 ` David Laight
2026-01-22 4:41 ` kernel test robot
2026-01-22 10:33 ` David Laight
2026-01-22 14:26 ` Andy Shevchenko
2026-01-22 14:55 ` David Laight
2026-01-23 1:25 ` Philip Li
2026-01-23 8:01 ` Vincent Mailhol
2026-01-23 8:11 ` Andy Shevchenko
2026-01-23 8:20 ` Al Viro
2026-01-23 8:24 ` Andy Shevchenko
2026-01-23 8:32 ` Vincent Mailhol
2026-01-23 8:46 ` Andy Shevchenko
2026-01-23 1:24 ` Philip Li
2026-01-21 14:57 ` [PATCH next 12/14] bits: move the defitions of BIT() and BIT_ULL() back to linux/bits.h david.laight.linux
2026-01-21 15:17 ` Thomas Weißschuh
2026-01-21 19:24 ` David Laight
2026-01-22 7:39 ` Thomas Weißschuh
2026-01-22 0:50 ` kernel test robot
2026-01-22 1:23 ` kernel test robot
2026-01-22 10:30 ` David Laight
2026-02-07 22:40 ` Thomas Gleixner
2026-02-08 4:23 ` Yury Norov
2026-01-21 14:57 ` [PATCH next 13/14] test_bits: Change all the tests to be compile-time tests david.laight.linux
2026-02-08 4:37 ` Yury Norov
2026-02-08 11:32 ` David Laight
2026-01-21 14:57 ` [PATCH next 14/14] test_bits: include some invalid input tests for GENMASK_INPUT_CHECK() david.laight.linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260121191448.1dc59684@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=jani.nikula@intel.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=mailhol@kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=nathan@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox