| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Aug 2007 19:37:40 +0200
From: Segher Boessenkool <segher@...nel.crashing.org>
To: Nick Piggin <nickpiggin@...oo.com.au>
Cc: heiko.carstens@...ibm.com, horms@...ge.net.au,
linux-kernel@...r.kernel.org, rpjday@...dspring.com, ak@...e.de,
netdev@...r.kernel.org, cfriesen@...tel.com,
akpm@...ux-foundation.org, torvalds@...ux-foundation.org,
jesper.juhl@...il.com, linux-arch@...r.kernel.org, zlynx@....org,
satyam@...radead.org, clameter@....com, schwidefsky@...ibm.com,
Chris Snook <csnook@...hat.com>,
Herbert Xu <herbert.xu@...hat.com>, davem@...emloft.net,
wensong@...ux-vs.org, wjiang@...ilience.com
Subject: Re: [PATCH 0/24] make atomic_read() behave consistently across all architectures
>>>>>> Part of the motivation here is to fix heisenbugs. If I knew
>>>>>> where they
>>>>>
>>>>> By the same token we should probably disable optimisations
>>>>> altogether since that too can create heisenbugs.
>>>>
>>>> Almost everything is a tradeoff; and so is this. I don't
>>>> believe most people would find disabling all compiler
>>>> optimisations an acceptable price to pay for some peace
>>>> of mind.
>>>
>>>
>>> So why is this a good tradeoff?
>> It certainly is better than disabling all compiler optimisations!
>
> It's easy to be better than something really stupid :)
Sure, it wasn't me who made the comparison though.
> So i386 and x86-64 don't have volatiles there, and it saves them a
> few K of kernel text.
Which has to be investigated. A few kB is a lot more than expected.
> What you need to justify is why it is a good
> tradeoff to make them volatile (which btw, is much harder to go
> the other way after we let people make those assumptions).
My point is that people *already* made those assumptions. There
are two ways to clean up this mess:
1) Have the "volatile" semantics by default, change the users
that don't need it;
2) Have "non-volatile" semantics by default, change the users
that do need it.
Option 2) randomly breaks stuff all over the place, option 1)
doesn't. Yeah 1) could cause some extremely minor speed or
code size regression, but only temporarily until everything has
been audited.
>>> I also think that just adding things to APIs in the hope it might fix
>>> up some bugs isn't really a good road to go down. Where do you stop?
>> I look at it the other way: keeping the "volatile" semantics in
>> atomic_XXX() (or adding them to it, whatever) helps _prevent_ bugs;
>
> Yeah, but we could add lots of things to help prevent bugs and
> would never be included. I would also contend that it helps _hide_
> bugs and encourages people to be lazy when thinking about these
> things.
Sure. We aren't _adding_ anything here though, not on the platforms
where it is most likely to show up, anyway.
> Also, you dismiss the fact that we'd actually be *adding* volatile
> semantics back to the 2 most widely tested architectures (in terms
> of test time, number of testers, variety of configurations, and
> coverage of driver code).
I'm not dismissing that. x86 however is one of the few architectures
where mistakenly leaving out a "volatile" will not easily show up on
user testing, since the compiler will very often produce a memory
reference anyway because it has no registers to play with.
> This is a very important different from
> just keeping volatile semantics because it is basically a one-way
> API change.
That's a good point. Maybe we should create _two_ new APIs, one
explicitly going each way.
>> certainly most people expect that behaviour, and also that behaviour
>> is *needed* in some places and no other interface provides that
>> functionality.
>
> I don't know that most people would expect that behaviour.
I didn't conduct any formal poll either :-)
> Is there any documentation anywhere that would suggest this?
Not really I think, no. But not the other way around, either.
Most uses of it seem to expect it though.
>> [some confusion about barriers wrt atomics snipped]
>
> What were you confused about?
Me? Not much.
Segher
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists