| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Nov 2020 11:58:37 +1100 (AEDT)
From: Finn Thain <fthain@...egraphics.com.au>
To: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
cc: James Bottomley <James.Bottomley@...senpartnership.com>,
Kees Cook <keescook@...omium.org>,
Jakub Kicinski <kuba@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
alsa-devel@...a-project.org, amd-gfx@...ts.freedesktop.org,
bridge@...ts.linux-foundation.org, ceph-devel@...r.kernel.org,
cluster-devel@...hat.com, coreteam@...filter.org,
devel@...verdev.osuosl.org, dm-devel@...hat.com,
drbd-dev@...ts.linbit.com, dri-devel@...ts.freedesktop.org,
GR-everest-linux-l2@...vell.com, GR-Linux-NIC-Dev@...vell.com,
intel-gfx@...ts.freedesktop.org, intel-wired-lan@...ts.osuosl.org,
keyrings@...r.kernel.org, linux1394-devel@...ts.sourceforge.net,
linux-acpi@...r.kernel.org, linux-afs@...ts.infradead.org,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
linux-arm-msm@...r.kernel.org,
linux-atm-general@...ts.sourceforge.net,
linux-block@...r.kernel.org, linux-can@...r.kernel.org,
linux-cifs@...r.kernel.org,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
linux-decnet-user@...ts.sourceforge.net,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
linux-fbdev@...r.kernel.org, linux-geode@...ts.infradead.org,
linux-gpio@...r.kernel.org, linux-hams@...r.kernel.org,
linux-hwmon@...r.kernel.org, linux-i3c@...ts.infradead.org,
linux-ide@...r.kernel.org, linux-iio@...r.kernel.org,
linux-input <linux-input@...r.kernel.org>,
linux-integrity@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
Linux Media Mailing List <linux-media@...r.kernel.org>,
linux-mmc@...r.kernel.org, Linux-MM <linux-mm@...ck.org>,
linux-mtd@...ts.infradead.org, linux-nfs@...r.kernel.org,
linux-rdma@...r.kernel.org, linux-renesas-soc@...r.kernel.org,
linux-scsi@...r.kernel.org, linux-sctp@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-stm32@...md-mailman.stormreply.com,
linux-usb@...r.kernel.org, linux-watchdog@...r.kernel.org,
linux-wireless <linux-wireless@...r.kernel.org>,
Network Development <netdev@...r.kernel.org>,
netfilter-devel@...r.kernel.org, nouveau@...ts.freedesktop.org,
op-tee@...ts.trustedfirmware.org, oss-drivers@...ronome.com,
patches@...nsource.cirrus.com, rds-devel@....oracle.com,
reiserfs-devel@...r.kernel.org, samba-technical@...ts.samba.org,
selinux@...r.kernel.org, target-devel@...r.kernel.org,
tipc-discussion@...ts.sourceforge.net,
usb-storage@...ts.one-eyed-alien.net,
virtualization@...ts.linux-foundation.org,
wcn36xx@...ts.infradead.org,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
xen-devel@...ts.xenproject.org, linux-hardening@...r.kernel.org,
Nick Desaulniers <ndesaulniers@...gle.com>,
Nathan Chancellor <natechancellor@...il.com>,
Miguel Ojeda <ojeda@...nel.org>, Joe Perches <joe@...ches.com>
Subject: Re: [PATCH 000/141] Fix fall-through warnings for Clang
On Mon, 23 Nov 2020, Miguel Ojeda wrote:
> On Mon, 23 Nov 2020, Finn Thain wrote:
>
> > On Sun, 22 Nov 2020, Miguel Ojeda wrote:
> >
> > >
> > > It isn't that much effort, isn't it? Plus we need to take into
> > > account the future mistakes that it might prevent, too.
> >
> > We should also take into account optimisim about future improvements
> > in tooling.
> >
> Not sure what you mean here. There is no reliable way to guess what the
> intention was with a missing fallthrough, even if you parsed whitespace
> and indentation.
>
What I meant was that you've used pessimism as if it was fact.
For example, "There is no way to guess what the effect would be if the
compiler trained programmers to add a knee-jerk 'break' statement to avoid
a warning".
Moreover, what I meant was that preventing programmer mistakes is a
problem to be solved by development tools. The idea that retro-fitting new
language constructs onto mature code is somehow necessary to "prevent
future mistakes" is entirely questionable.
> > > So even if there were zero problems found so far, it is still a
> > > positive change.
> > >
> >
> > It is if you want to spin it that way.
> >
> How is that a "spin"? It is a fact that we won't get *implicit*
> fallthrough mistakes anymore (in particular if we make it a hard error).
>
Perhaps "handwaving" is a better term?
> > > I would agree if these changes were high risk, though; but they are
> > > almost trivial.
> > >
> >
> > This is trivial:
> >
> > case 1:
> > this();
> > + fallthrough;
> > case 2:
> > that();
> >
> > But what we inevitably get is changes like this:
> >
> > case 3:
> > this();
> > + break;
> > case 4:
> > hmmm();
> >
> > Why? Mainly to silence the compiler. Also because the patch author
> > argued successfully that they had found a theoretical bug, often in
> > mature code.
> >
> If someone changes control flow, that is on them. Every kernel developer
> knows what `break` does.
>
Sure. And if you put -Wimplicit-fallthrough into the Makefile and if that
leads to well-intentioned patches that cause regressions, it is partly on
you.
Have you ever considered the overall cost of the countless
-Wpresume-incompetence flags?
Perhaps you pay the power bill for a build farm that produces logs that
no-one reads? Perhaps you've run git bisect, knowing that the compiler
messages are not interesting? Or compiled software in using a language
that generates impenetrable messages? If so, here's a tip:
# grep CFLAGS /etc/portage/make.conf
CFLAGS="... -Wno-all -Wno-extra ..."
CXXFLAGS="${CFLAGS}"
Now allow me some pessimism: the hardware upgrades, gigawatt hours and
wait time attributable to obligatory static analyses are a net loss.
> > But is anyone keeping score of the regressions? If unreported bugs
> > count, what about unreported regressions?
> >
> Introducing `fallthrough` does not change semantics. If you are really
> keen, you can always compare the objects because the generated code
> shouldn't change.
>
No, it's not for me to prove that such patches don't affect code
generation. That's for the patch author and (unfortunately) for reviewers.
> Cheers,
> Miguel
>
Powered by blists - more mailing lists