lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 29 Nov 2017 16:21:20 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     "Gustavo A. R. Silva" <garsilva@...eddedor.com>,
        Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] x86/syscalls: Mark expected switch fall-throughs

On Wed, Nov 29, 2017 at 7:14 AM, Thomas Gleixner <tglx@...utronix.de> wrote:
> On Wed, 29 Nov 2017, Gustavo A. R. Silva wrote:
>> Quoting Thomas Gleixner <tglx@...utronix.de>:
>>
>> >
>> > So I have to ask WHY this information was not in the changelog of the patch
>> > in question:
>> >
>> >   1) How it works
>> >
>> >   2) Why comments have been chosen over macros
>> >
>>
>> I will add this info and send the patch again.
>>
>> > > In preparation to enabling -Wimplicit-fallthrough, mark switch cases
>> > > where we are expecting to fall through.
>> >
>> > It's not a reviewers job to chase that information down.
>> >
>> > While I can understand that the comments are intentional due to existing
>> > tools, I still prefer the macro/annotation. But I'm not religious about it
>> > when there is common consensus. :)
>
>                   ^^^^^^^^^^^^^^^^
>
> This is the important point. And there are people aside of me who prefer the
> macro annotation.

Understood. I, too, prefer the macro annotation, but when considering
where the primary benefit comes from, I had to admit that using the
comments was tolerable: the many external tools (e.g. Coverity,
Eclipse, gcc, clang, etc) that already process the comments means we
gain their coverage without any additional work to teach them about
yet another way to mark fall-through. In other words, making a marking
that only works for humans and gcc leaves out the other tools. To me,
"it's ugly" isn't sufficient to limit the wider benefit.

And I do recognize that when we get all fixes landed and we add
-Wimplicit-fallthrough, then we can just ignore the tools that don't
understand the new marking and announce false positives: but it's not
worth everyone else's time to deal with those false positives. There
is already a solution that all "missing break" tools handle, so let's
use it, all false positives vanish, and everyone wins (with a small
"ugliness" cost).

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ