lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 25 Aug 2021 14:09:50 -0700
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Masahiro Yamada <masahiroy@...nel.org>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>
Cc:     Kees Cook <keescook@...omium.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        clang-built-linux <clang-built-linux@...glegroups.com>,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH] kbuild: Enable -Wimplicit-fallthrough for clang 14.0.0+

On Tue, Aug 17, 2021 at 2:18 PM Masahiro Yamada <masahiroy@...nel.org> wrote:
>
> On Wed, Aug 18, 2021 at 3:25 AM Nathan Chancellor <nathan@...nel.org> wrote:
> >
> > On 8/17/2021 11:03 AM, Kees Cook wrote:
> > > On Mon, Aug 16, 2021 at 09:55:28PM -0700, Nathan Chancellor wrote:
> > >> If you/Gustavo would prefer, I can upgrade that check to
> > >>
> > >> ifneq ($(call cc-option, -Wunreachable-code-fallthrough),)
> > >>
> > >> I was just trying to save a call to the compiler, as that is more expensive
> > >> than a shell test call.
> > >
> > > I prefer the option test -- this means no changes are needed on the
> > > kernel build side if it ever finds itself backported to earlier versions
> > > (and it handles the current case of "14" not meaning "absolute latest").
> > >
> > > More specifically, I think you want this (untested):
> >
> > That should work but since -Wunreachable-code-fallthrough is off by
> > default, I did not really see a reason to include it in KBUILD_CFLAGS. I
> > do not have a strong opinion though, your version is smaller than mine
> > is so we can just go with that. I'll defer to Gustavo on it since he has
> > put in all of the work cleaning up the warnings.
>
>
>
> https://github.com/llvm/llvm-project/commit/9ed4a94d6451046a51ef393cd62f00710820a7e8
>
>    did two things:
>
>  (1) Change the -Wimplicit-fallthrough behavior so that it fits
>       to our use in the kernel
>
>  (2) Add a new option -Wunreachable-code-fallthrough
>       that works like the previous -Wimplicit-fallthrough of
>       Clang <= 13.0.0
>
>
> They are separate things.
>
> Checking the presence of -Wunreachable-code-fallthrough
> does not make sense since we are only interested in (1) here.
>
>
>
> So, checking the Clang version is sensible and matches
> the explanation in the comment block.
>
>
> Moreover, using $(shell test ...) is less expensive than cc-option.
>
>
> If you want to make it even faster, you can use only
> built-in functions, like this:
>
>
> # Warn about unmarked fall-throughs in switch statement.
> # Clang prior to 14.0.0 warned on unreachable fallthroughs with
> # -Wimplicit-fallthrough, which is unacceptable due to IS_ENABLED().
> # https://bugs.llvm.org/show_bug.cgi?id=51094
> ifeq ($(firstword $(sort $(CONFIG_CLANG_VERSION) 140000)),140000)
> KBUILD_CFLAGS += -Wimplicit-fallthrough
> endif
>
>
>
> The $(sort ...) is alphabetical sort, not numeric sort.
> It works for us because the minimum Clang version is 10.0.1
> (that is CONFIG_CLANG_VERSION is always 6-digit)
>
> It will break when Clang version 100.0.0 is released.
>
> But, before that, we will raise the minimum supported clang version,
> and this conditional will go away.

I'd much rather pay the cost of cc-option to have a more precise
check; Linus is right: when I upgrade AOSP's fork of LLVM, it may not
be the fully released version of clang-14 though we have already moved
the version numbers upstream to clang-14.  I think we should strive to
prefer feature tests over version tests, which are brittle.

```
# Clang would warn about unreachable fall throughs until clang-14.
ifdef CONFIG_CC_IS_CLANG
ifneq ($(call cc-option,-Wunreachable-code-fallthrough),)
KBUILD_CFLAGS += -Wimplicit-fallthrough
endif
endif
```

Is precisely what we want.
-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists