From: Daniel Latypov <dlatypov@google.com>
To: David Gow <davidgow@google.com>
Cc: "Justin Stitt" <justinstitt@google.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Shuah Khan" <skhan@linuxfoundation.org>,
"Guenter Roeck" <linux@roeck-us.net>,
"Rae Moar" <rmoar@google.com>,
"Matthew Auld" <matthew.auld@intel.com>,
"Arunpravin Paneer Selvam" <arunpravin.paneerselvam@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Kees Cook" <keescook@chromium.org>,
"Maíra Canal" <mcanal@igalia.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Matthew Brost" <matthew.brost@intel.com>,
"Willem de Bruijn" <willemb@google.com>,
"Florian Westphal" <fw@strlen.de>,
"Cassio Neri" <cassio.neri@gmail.com>,
"Javier Martinez Canillas" <javierm@redhat.com>,
"Arthur Grillo" <arthur.grillo@usp.br>,
"Brendan Higgins" <brendan.higgins@linux.dev>,
"Stephen Boyd" <sboyd@kernel.org>,
"David Airlie" <airlied@gmail.com>,
"Maxime Ripard" <mripard@kernel.org>,
"David S . Miller" <davem@davemloft.net>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
intel-xe@lists.freedesktop.org, linux-rtc@vger.kernel.org,
linux-kselftest@vger.kernel.org, kunit-dev@googlegroups.com,
linux-hardening@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 2/9] lib/cmdline: Fix an invalid format specifier in an assertion msg
Date: Thu, 22 Feb 2024 09:36:01 -0800 [thread overview]
Message-ID: <CAGS_qxoW0v0eM646zLu=SWL1O5UUp5k08SZsQO51gCDx_LnhcQ@mail.gmail.com> (raw)
In-Reply-To: <CABVgOSn+VxTb5TOmZd82HN04j_ZG9J2G-AoJmdxWG8QDh9xGxg@mail.gmail.com>
On Wed, Feb 21, 2024 at 10:22 PM David Gow <davidgow@google.com> wrote:
>
> On Thu, 22 Feb 2024 at 04:10, 'Justin Stitt' via KUnit Development
> <kunit-dev@googlegroups.com> wrote:
> >
> > Hi,
> >
> > On Wed, Feb 21, 2024 at 05:27:15PM +0800, David Gow wrote:
> > > The correct format specifier for p - n (both p and n are pointers) is
> > > %td, as the type should be ptrdiff_t.
> >
> > I think %tu is better. d specifies a signed type. I don't doubt that the
> > warning is fixed but I think %tu represents the type semantics here.
> >
>
> While I agree that this should never be negative, I'd still lean on
> this being a signed type, for two reasons:
> - I think, if there's a bug in this code, it's easier to debug this if
> a 'negative' value were to appear as such.
> - While, as I understand it, the C spec does provide for a
> ptrdiff_t-sized unsigned printf specifier in '%tu', the difference
> between two pointers is always signed:
>
> "When two pointers are subtracted, both shall point to elements of the
> same array object,
> or one past the last element of the array object; the result is the
> difference of the
> subscripts of the two array elements. The size of the result is
> implementation-defined,
> and its type (a signed integer type) is ptrdiff_t defined in the
> <stddef.h> header"
>
> (Technically, the kernel's ptrdiff_t type isn't defined in stddef.h,
> so a bit of deviation from the spec is happening anyway, though.)
>
> If there's a particularly good reason to make this unsigned in this
> case, I'd be happy to change it, of course. But I'd otherwise prefer
> to keep it as-is.
Copying the line for context, it's about `p-r` where
p = memchr_inv(&r[1], 0, sizeof(r) - sizeof(r[0]));
`p-r` should never be negative unless something has gone horribly
horribly wrong.
So in this particular case, either %tu or %td would be fine.
(sorta bikeshedding warning)
But, I'd personally lean towards using the signed %td in tests to
guard against typos in test code as _a guiding principle._
This is especially true given that the failure messages aren't
verified since they are mostly "dead code."
You can have crazy incorrect things going on in the format arguments,
see patch 1/9 in this series [1]. One of kunit's own tests would do a
read from a ~random memory region if that specific assertion failed.
Not a good look ;)
We never noticed until this series enabled the format string checks.
You also can't expect reviewers to go through and modify every
assertion to fail to see what the failure mode looks like, so these
kinds of errors will continue to slip through.
*So IMO, we should generally adopt a more defensive stance when it
comes to these.*
Also consider the user experience if there is a failure and I
accidentally wrote `r-p` here.
Someone else sees an error report from this test and needs to investigate.
What message is easier to deal with?
> in test 18 at -5 out of bound
or
> in test 18 at 18446744073709551611 out of bound
Sure, I can eventually figure out what both messages mean, but it's a
immediately obvious from the first that there's a
a) real error: something is wrong at index 5
b) test code error: there's a flipped sign somewhere
So I'd strongly prefer the current version of the patch over one with %tu.
Reviewed-by: Daniel Latypov <dlatypov@google.com>
[1] https://lore.kernel.org/linux-kselftest/20240221092728.1281499-2-davidgow@google.com/
Thanks,
Daniel
next prev parent reply other threads:[~2024-02-22 17:36 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 9:27 [PATCH 0/9] kunit: Fix printf format specifier issues in KUnit assertions David Gow
2024-02-21 9:27 ` [PATCH 1/9] kunit: test: Log the correct filter string in executor_test David Gow
2024-02-21 13:25 ` Guenter Roeck
2024-02-21 20:04 ` Justin Stitt
2024-02-21 20:29 ` Daniel Latypov
2024-02-22 20:58 ` Rae Moar
2024-02-21 9:27 ` [PATCH 2/9] lib/cmdline: Fix an invalid format specifier in an assertion msg David Gow
2024-02-21 13:25 ` Guenter Roeck
2024-02-21 20:10 ` Justin Stitt
2024-02-22 6:22 ` David Gow
2024-02-22 17:36 ` Daniel Latypov [this message]
2024-02-22 17:56 ` Linus Torvalds
2024-02-21 9:27 ` [PATCH 3/9] lib: memcpy_kunit: " David Gow
2024-02-21 13:25 ` Guenter Roeck
2024-02-21 21:05 ` Justin Stitt
2024-02-21 9:27 ` [PATCH 4/9] time: test: Fix incorrect format specifier David Gow
2024-02-21 13:25 ` Guenter Roeck
2024-02-21 18:21 ` [tip: timers/core] time/kunit: Use correct " tip-bot2 for David Gow
2024-02-23 7:01 ` David Gow
2024-02-23 23:06 ` Shuah Khan
2024-02-21 20:53 ` [PATCH 4/9] time: test: Fix incorrect " Cassio Neri
2024-02-21 21:06 ` Justin Stitt
2024-02-21 9:27 ` [PATCH 5/9] rtc: test: Fix invalid " David Gow
2024-02-21 13:26 ` Guenter Roeck
2024-02-21 20:54 ` Cassio Neri
2024-02-21 21:06 ` Justin Stitt
2024-02-27 20:32 ` Alexandre Belloni
2024-02-27 21:23 ` Shuah Khan
2024-02-27 22:48 ` Alexandre Belloni
2024-02-21 9:27 ` [PATCH 6/9] net: test: Fix printf format specifier in skb_segment kunit test David Gow
2024-02-21 13:26 ` Guenter Roeck
2024-02-21 21:26 ` Justin Stitt
2024-02-21 9:27 ` [PATCH 7/9] drm: tests: Fix invalid printf format specifiers in KUnit tests David Gow
2024-02-21 10:21 ` Matthew Auld
2024-02-21 10:45 ` Christian König
2024-02-21 13:26 ` Guenter Roeck
2024-02-21 21:29 ` Justin Stitt
2024-02-27 23:24 ` Shuah Khan
2024-02-21 9:27 ` [PATCH 8/9] drm/xe/tests: Fix printf format specifiers in xe_migrate test David Gow
2024-02-21 13:26 ` Guenter Roeck
2024-02-22 5:05 ` Lucas De Marchi
2024-02-22 5:59 ` Linus Torvalds
2024-02-22 9:52 ` Thomas Hellström
2024-02-21 9:27 ` [PATCH 9/9] kunit: Annotate _MSG assertion variants with gnu printf specifiers David Gow
2024-02-21 13:26 ` Guenter Roeck
2024-02-21 20:02 ` Justin Stitt
2024-02-21 9:33 ` ✗ CI.Patch_applied: failure for kunit: Fix printf format specifier issues in KUnit assertions Patchwork
2024-02-22 14:23 ` [PATCH 0/9] " Shuah Khan
2024-02-27 23:32 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGS_qxoW0v0eM646zLu=SWL1O5UUp5k08SZsQO51gCDx_LnhcQ@mail.gmail.com' \
--to=dlatypov@google.com \
--cc=airlied@gmail.com \
--cc=arthur.grillo@usp.br \
--cc=arunpravin.paneerselvam@amd.com \
--cc=brendan.higgins@linux.dev \
--cc=cassio.neri@gmail.com \
--cc=christian.koenig@amd.com \
--cc=davem@davemloft.net \
--cc=davidgow@google.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=fw@strlen.de \
--cc=intel-xe@lists.freedesktop.org \
--cc=javierm@redhat.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-rtc@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=matthew.auld@intel.com \
--cc=matthew.brost@intel.com \
--cc=mcanal@igalia.com \
--cc=mripard@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rmoar@google.com \
--cc=rodrigo.vivi@intel.com \
--cc=sboyd@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=torvalds@linux-foundation.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.