From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47792)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1X9KFA-0003L2-17
	for qemu-devel@nongnu.org; Mon, 21 Jul 2014 16:31:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1X9KF1-0008Ux-Nh
	for qemu-devel@nongnu.org; Mon, 21 Jul 2014 16:31:31 -0400
Received: from mx1.redhat.com ([209.132.183.28]:57269)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1X9KF1-0008Uf-GQ
	for qemu-devel@nongnu.org; Mon, 21 Jul 2014 16:31:23 -0400
Message-ID: <53CD7898.10503@redhat.com>
Date: Mon, 21 Jul 2014 14:31:20 -0600
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <1405630053-15052-1-git-send-email-jsnow@redhat.com>	<87zjg7yyds.fsf@blackfin.pond.sub.org>	<20140718074623.GC6960@grmbl.mre>	<87a986vry1.fsf@blackfin.pond.sub.org>	<20140718112730.GA26614@grmbl.mre>	<874myesx0m.fsf@blackfin.pond.sub.org>	<20140718121451.GC26614@grmbl.mre>	<8761iurenc.fsf@blackfin.pond.sub.org>
	<53C98E50.2020307@redhat.com>	<8761irkv8y.fsf@blackfin.pond.sub.org>
	<53CD355A.1000804@redhat.com>	<87siluaa79.fsf@blackfin.pond.sub.org>
	<53CD5380.204@redhat.com> <8761iq7cbt.fsf@blackfin.pond.sub.org>
	<53CD7452.2060204@redhat.com>
In-Reply-To: <53CD7452.2060204@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="Q2HHHjVFpR7X44UD7GQE6nOk2mMTOlg8O"
Subject: Re: [Qemu-devel] [PATCH v2] virtio-rng: Add human-readable error
 message for negative max-bytes parameter
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: John Snow <jsnow@redhat.com>, Markus Armbruster <armbru@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>, peter.maydell@linaro.org, qemu-devel@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Q2HHHjVFpR7X44UD7GQE6nOk2mMTOlg8O
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 07/21/2014 02:13 PM, John Snow wrote:

> I can certainly grep through the code to find out who is using unsigned=

> properties. In the case of uint32, -1 I believe will already wrap aroun=
d
> but then overflow (because we parse as uint64_t) and throw an error, so=

> I don't expect we will see anyone using -1 to signify "MAX" for less
> than 64bit properties. In the case of uint64, it may be more difficult
> to see who, if anyone, is abusing such behavior.

Actually, you may find that behavior on uint32 is MORE likely to be
confused, rather than less.  The _reason_ libvirt started tightening up
is because we hit a case where we were parsing an unsigned 32-bit
integer, but had different behavior on 32-bit hosts than on 64-bit
hosts, and it all boiled down to type promotion rules (basically,
strtoul("-1") on 32-bit platforms wrapped around to a 32-bit value,
which was still in range for uint32, while strtoul("-1") on 64-bit
platforms wrapped around to a 64-bit value which then appeared different
when truncated to uint32).  At least strtoull("-1") behaves the same on
both 32-bit and 64-bit hosts.

>=20
> However, from a quick look-see it looks like DEFINE_PROP_UINT64 is used=

> in 26 places. The fourth argument is "default value" and you can see
> many authors using -1 here, so either these authors expect wraparound o=
r
> are trying to set the default value to something invalid that they will=

> try to catch later on somehow.
>=20
> CC'ing Eric Blake again for input, since he went through a similar
> ordeal recently and might have some input.

Tightening semantics is always a pain - in libvirt, we had to audit all
callers and make a case-by-case judgment call on whether the tighter
semantics of rejecting negatives made sense.  We ended up with very few
callers that still allowed wraparound, but there's no magic fix short of
just auditing the callers.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--Q2HHHjVFpR7X44UD7GQE6nOk2mMTOlg8O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTzXiYAAoJEKeha0olJ0NqhIMH/i3KluVAi0TGYojGY3gSiXBv
YZ5qzFBtOL2ILWn/xrrCigBWvxOk5plol9nufIa2Z0pK05p7tP92S7c69mw1zrGQ
Pw/aBycywyjtpVPw/UcObumRbH22+cNdOwXDNUv/Ms8zoffKFXcqc26r6gdkjBex
WN5+VKQNLZqIYP3MlVs7kQlyyDO/fb5lUrGUHN/t6NCraK7qp9PSyuyoJJuAAKfU
dbTMLV68aqCPMlefbmV1V9WE8dRvLLv65yfvV1rREl1vtldFjIJDqcOfqmDLcBlc
PxXi3c4iFNHLOAOPkmzBdS8H3XCg9l7oXslsCNOmrXnXl7Etzgn7cfyzmxpkfXs=
=z2E3
-----END PGP SIGNATURE-----

--Q2HHHjVFpR7X44UD7GQE6nOk2mMTOlg8O--