[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <22c9c4cc27b13b2fb6f3cd9fa6f827f56f30770b.camel@med.uni-goettingen.de>
Date: Fri, 1 Mar 2024 13:21:45 +0000
From: "Uecker, Martin" <Martin.Uecker@....uni-goettingen.de>
To: "keescook@...omium.org" <keescook@...omium.org>,
"linux@...musvillemoes.dk" <linux@...musvillemoes.dk>,
"David.Laight@...LAB.COM" <David.Laight@...LAB.COM>
CC: "corbet@....net" <corbet@....net>, "miguel.ojeda.sandonis@...il.com"
<miguel.ojeda.sandonis@...il.com>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "linux-doc@...r.kernel.org"
<linux-doc@...r.kernel.org>, "gustavoars@...nel.org" <gustavoars@...nel.org>,
"ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
"jani.nikula@...ux.intel.com" <jani.nikula@...ux.intel.com>,
"ojeda@...nel.org" <ojeda@...nel.org>, "linux-hardening@...r.kernel.org"
<linux-hardening@...r.kernel.org>
Subject: Re: [+externe Mail+] RE: [PATCH] compiler.h: Explain how
__is_constexpr() works
BTW my main email addess is now: uecker@...raz.at
My suggestion would also to limit explanation. Nobody should
write such code and if you need to, you can find explanations
all over the internet.
Finally, I still think the motivation for this macro (removing
VLAs) is misguided if security is the goal because VLAs provide
precise bounds and larger worst-case fixed-size arrays do not.
It would be better to use the compiler options that detect
possibly use of VLAs of unbounded size and if there a problems
with this, improve this on the compiler side.
Martin
Am Freitag, dem 01.03.2024 um 09:32 +0000 schrieb David Laight:
> From: Kees Cook
> > Sent: 01 March 2024 04:45
> > To: Rasmus Villemoes <linux@...musvillemoes.dk>
> >
> > The __is_constexpr() macro is dark magic. Shed some light on it with
> > a comment to explain how and why it works.
>
> All the 8s don't help...
>
> I don't think you need that much explanation.
>
> Perhaps just saying that the type of ?: depends on the types
> of the values and is independent of the condition.
> The type of (0 ? (void *)p : (foo *)q) is normally 'void *'
> (so that both values can be assigned to it).
> But if 'p' is 'an integer constant expression with value 0'
> then (void *)p is NULL and the type is 'foo *'.
>
> The type can then be checked to find out it 'p' is constant 0.
> A non-zero constant 'p' can be multiples by 0.
>
> I need to replace the definition with (the more portable):
> #define __if_constexpr(cond, if_const, if_not_const) \
> _Generic(0 ? (void *)((long)(cond) * 0) : (char *)0, \
> char *: (if_const), \
> void *: (if_not_const))
> which is arguably less cryptic.
>
> #define __is_constexpr(cond) __if_constexpr(cond, 1, 0)
>
> So that I can write:
> #define is_non_neg_const(x) (__if_constexpr(x, x , -1) >= 0)
> and avoid the compiler bleating about some comparisons
> in unreachable code.
>
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
Powered by blists - more mailing lists