[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=whT+xyge9UjH+r6dt0FG-eUdrzu5hDMce_vC+n8uLam2A@mail.gmail.com>
Date: Wed, 19 Oct 2022 12:54:06 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
linux-arch@...r.kernel.org, linux-toolchains@...r.kernel.org,
Masahiro Yamada <masahiroy@...nel.org>,
Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] kbuild: treat char as always signed
On Wed, Oct 19, 2022 at 9:27 AM Jason A. Donenfeld <Jason@...c4.com> wrote:
>
> So let's just eliminate this particular variety of heisensigned bugs
> entirely. Set `-fsigned-char` globally, so that gcc makes the type
> signed on all architectures.
Btw, I do wonder if we might actually be better off doing this - but
doing it the other way around.
IOW, make 'char' always UNsigned. Unlike the signed char thing, it
shouldn't generate any worse code on any common architecture.
And I do think that having odd architecture differences is generally a
bad idea, and making the language rules stricter to avoid differences
is a good thing.
Now, you did '-fsigned-char', because that's the "common default" in
an x86-centric world.
You are also right that people might think that "char" works like
"int", and that if you don't specify the sign, it's signed.
But those people are obviously wrong anyway, so it's not a very strong argument.
And from a kernel perspective, I do think that "treat char as a byte"
and making it be unsigned is in many ways the saner model. There's a
reason we use 'unsigned char' in a fair number of places.
So using '-funsigned-char' might not be a bad idea.
Hilariously (and by "hilariously", I obviously mean "NOT
hilariously"), it doesn't actually fix the warning for
const unsigned char *c = "p";
which still complains about
warning: pointer targets in initialization of ‘const unsigned char
*’ from ‘char *’ differ in signedness
even when you've specified that 'char' should be unsigned with -funsigned-char.
Because gcc actually tries to be helpful, and has (reasonably, from a
"type sanity" standpoint) decided that
"The type char is always a distinct type from each of signed char
or unsigned char, even though its behavior is always just like one of
those two"
so using "-funsigned-char" gives us well-defined *behavior*, but
doesn't really help us with cleaning up our code.
I understand why gcc would want to make it clear that despite any
behavioral issues, "char" is *not* the same as "[un]signed char" in
general. But in this kind of use case, that warning is just pointless
and annoying.
Oh well. You *really* can't win this thing. The game is rigged like
some geeky carnival game.
Linus
Powered by blists - more mailing lists