| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87dd9b7b52e7cea874c1899f56efdd3d7c5b7243.camel@gwdg.de>
Date: Sun, 8 Dec 2024 19:10:49 +0100
From: Martin Uecker <muecker@...g.de>
To: David Laight <David.Laight@...LAB.COM>, Linus Torvalds
<torvalds@...ux-foundation.org>
CC: Vincent Mailhol <mailhol.vincent@...adoo.fr>, Luc Van Oostenryck
<luc.vanoostenryck@...il.com>, Nathan Chancellor <nathan@...nel.org>, "Nick
Desaulniers" <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>, Yury Norov <yury.norov@...il.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>, Kees Cook <kees@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>, Jani Nikula
<jani.nikula@...ux.intel.com>, Joonas Lahtinen
<joonas.lahtinen@...ux.intel.com>, Rodrigo Vivi <rodrigo.vivi@...el.com>,
Tvrtko Ursulin <tursulin@...ulin.net>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>, Suzuki K Poulose <suzuki.poulose@....com>,
Mike Leach <mike.leach@...aro.org>, James Clark <james.clark@...aro.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Rikard Falkeborn
<rikard.falkeborn@...il.com>, "linux-sparse@...r.kernel.org"
<linux-sparse@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "llvm@...ts.linux.dev"
<llvm@...ts.linux.dev>, "linux-hardening@...r.kernel.org"
<linux-hardening@...r.kernel.org>, "intel-gfx@...ts.freedesktop.org"
<intel-gfx@...ts.freedesktop.org>, "dri-devel@...ts.freedesktop.org"
<dri-devel@...ts.freedesktop.org>, "coresight@...ts.linaro.org"
<coresight@...ts.linaro.org>, "linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH 02/10] compiler.h: add is_const() as a replacement of
__is_constexpr()
Am Sonntag, dem 08.12.2024 um 16:48 +0000 schrieb David Laight:
> From: Martin Uecker
> > Sent: 08 December 2024 12:38
...
> ...
> > So a lot of this macro business seems to be necessary
> > to avoid creating warnings for ISO VLAs when instead you really
> > care about the created code not having a dynamic allocation on
> > the stack.
>
> A lot of the 'macro business' for min/max is avoiding unexpected
> conversion of negative values to very large unsigned ones.
> And no, -Wsign-compare is spectacularly useless.
This is a different topic, but what would be needed here?
>
> ..
> > The issue here is that we miss a language feature in C to
> > introduce local variables that help avoid multiple expansion
> > of macro arguments. GCC's statement expressions and __auto_type
> > are a solution
>
> or historically 'typeof(x) _x = x'
>
> > #define foo(x) ({ __auto_type __x = (x); ... })
> >
> > but this runs into the current limitations that ({ }) can not be used
> > at file-scope and can not return constant expressions.
> >
> >
> > For other reasons I was thinking about adding names to _Generic,
> > as in
> >
> > _Generic(x, int i: (i + 1));
> >
> > because one design issues with _Generic is that it typechecks
> > also the untaken associations and there the 'x' then has the wrong
> > type. Having an 'i' with the right type which is set to the value
> > of 'x' when the branch is taken would fix this issue.
>
> That looks even more syntactically obscure than _Generic itself.
> Why does it need to do more than very simple syntax analysis of
> the unwanted branches
This would be possible and GCC does turn of some warnings in
the unwanted branches. I added this to GCC 14 I think.
But so far, ISO C requires that all branches are valid and this
was an intentional design decision to detect errors.
> - or they could automatically be analysed
> with the named variable have the specified type?
Inside a macro there is no variable 'x' but
the macro argument 'x' is replaced by some expression.
Also there is the general problem of multiple expansion which
can only be addressed by introducing an identifier.
>
> > But this feature might also allow writing macros that avoid
> > double expansion without requiring statement expressions (which
> > are more difficult to fix):
> >
> > #define foo(x) _Generic(x, int i: (i + i));
>
> How can that work for things like min() that have multiple arguments?
You would need to nest it:
#define foo(x, y) _Generic(x, int i: _Generic(y, int j: i + j))
Otherwise one could invent syntax for matching multiple arguments
at the same time.
There is still the problem of name collision, but this is already
a problem with
({ int i = (x); int j = (x); i + j; })
> Not going to work if you need __auto_type either.
If we allowed an identifier for the default branch too, this
would work: _Generic(x, default i: (2 * i))
But hey, I am not saying this is perfect, it is just
a possible improvement I was thinking about and which could be
implemented easily, would automatically return constant expressions,
and could be used at file scope without further changes.
There are certainly better long-term solutions.
Martin
Powered by blists - more mailing lists