lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YqArhaiEu+6YWZfg@zeniv-ca.linux.org.uk>
Date:   Wed, 8 Jun 2022 04:54:29 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Nick Desaulniers <ndesaulniers@...gle.com>,
        Justin Stitt <jstitt007@...il.com>,
        Nathan Chancellor <nathan@...nel.org>,
        Tom Rix <trix@...hat.com>, linux-kernel@...r.kernel.org,
        llvm@...ts.linux.dev, Richard Smith <richardsmith@...gle.com>
Subject: Re: [PATCH] include/uapi/linux/swab.h: add __u16 cast to __swab16
 conditional

On Tue, Jun 07, 2022 at 04:21:28PM -0700, Andrew Morton wrote:

> > 6.5.15/5
> > >> If both the second and third operands have arithmetic type, the result type that would be determined by the usual arithmetic conversions, were they applied to those two operands, is the type of the result.
> > 6.3.1.8/1
> > >> Otherwise, the integer promotions are performed on both operands.
> > 6.3.1.1/2
> > >> If an int can represent all values of the original type (as restricted by the width, for a bit-field), the value is converted to an int; otherwise, it is converted to an unsigned int. These are called the integer promotions.
> 
> Geeze.  Can we please turn this into English and add it to the changelog?
> 
> Is it saying that an expression
> 
> 	int ? u16 : u16
> 
> has type int?  Or something else?  What did we do wrong here and is it
> possible to correct our types rather than adding a cast?

Not quite.  Same rules as u16 + u16 - on architectures where int is wider
than 16 bits it's (int)u16 + (int)u16 and yields int, on 16bit ones it's
(unsigned int)u16 + (unsigned int)u16 and yields unsigned int.

You *can't* get smaller-than-int out of ? :, same as you can't get it
out of addition, etc.

__builtin_choose_expr() would do it, but I would take a cast over that
ugliness.

FWIW, it might make sense for clang to keep track of the following
property: expression has the same value as it would if integer promotions
in it had been replaced with integer promotion of result.

Example: with
	unsigned short x, y, mask;

expresion "x & y" is interpreted as and_int((int)x, (int)y), which is equal
to (int)and_u16(x, y), so that expression has the property in question.
"x != 12 ? x : y" has the same property.  "x + y", OTOH, doesn't - if x and y
are both 32768, x + y is add_int((int)x, (int)y), i.e. 65536, while
(int)add_u16(x, y) would be 0.

For a somewhat more subtle example,
	(x & ~mask) | (y & mask)
is interpreted as
	or_int(and_int((int)x, not_int((int)mask)), and_int((int)y, (int)mask))
which is equal to
	(int)or_u16(and_u16(x,not_u16(mask)), and_u16(y, mask))
IOW, the property in question holds for that one, despite having a subexpression
(~mask) that does *NOT* have that property.  (int)not_u16(0) is 0xffff and
not_int((int)0) is (assuming 32bit int) 0xffffffff.  Upper 16 bits get fouled;
applying & with known-16bit launders them off...

That predicate is behind the handling of small bitwise types in sparse;
otherwise all operations on __be16 would trigger warnings due to promotions
from __be16 to int.  And aforementioned subtle example is common enough, so we
had to deal with it.  See commit d24967cb847b "[PATCH] handle fouled-bitwise"
in sparse git...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ