Re: [PATCH 01/12] extarray: define helpers for arrays defined in linker scripts

From: Peter Zijlstra <peterz@infradead.org>
To: Richard Biener <rguenther@suse.de>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	Jiri Slaby <jslaby@suse.cz>,
	linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	stable@vger.kernel.org, Ming Lei <ming.lei@canonical.com>,
	Steven Rostedt <srostedt@redhat.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Cesar Eduardo Barros <cesarb@cesarb.eti.br>,
	Michael Matz <matz@suse.de>, David Miller <davem@davemloft.net>,
	Guenter Roeck <linux@roeck-us.net>,
	Fengguang Wu <fengguang.wu@intel.com>,
	Borislav Petkov <bp@alien8.de>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Juergen Gross <jgross@suse.com>,
	Kees Cook <keescook@chromium.org>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 01/12] extarray: define helpers for arrays defined in linker scripts
Date: Wed, 19 Oct 2016 12:25:55 +0200	[thread overview]
Message-ID: <20161019102555.GJ3102@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <alpine.LSU.2.11.1610191131250.2258@t29.fhfr.qr>

On Wed, Oct 19, 2016 at 11:33:41AM +0200, Richard Biener wrote:
> On Wed, 19 Oct 2016, Peter Zijlstra wrote:

> > This is also an entirely different class of optimizations than the whole
> > pointer arithmetic is only valid inside an object thing.
> 
> Yes, it is not related to that.  I've opened 
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78035 to track an
> inconsistency in that new optimization.
> 
> > The kernel very much relies on unbounded pointer arithmetic, including
> > overflow. Sure, C language says its UB, but we know our memory layout,
> > and it would be very helpful if we could define it.
> 
> It's well-defined and correctly handled if you do the arithmetic
> in uintptr_t.  No need for knobs.

So why not extend that to the pointers themselves and be done with it?

In any case, so you're saying our:

#define RELOC_HIDE(ptr, off)						\
({									\
	unsigned long __ptr;						\
	__asm__ ("" : "=r"(__ptr) : "0"(ptr));				\
	(typeof(ptr)) (__ptr + (off));					\
})

could be written like:

#define RELOC_HIDE(ptr, off)			\
({						\
	uintptr_t __ptr = (ptr);		\
	(typeof(ptr)) (__ptr + (off));		\
})

Without laundering it through inline asm?

Is there any advantage to doing so?

But this still means we need to be aware of this and use these macros to
launder our pointers.

Which gets us back to the issue that started this whole thread. We have
code that now gets miscompiled, silently.

That is a bad situation. So we need to either avoid the miscompilation,
or make it verbose.

> > Can't we get a knob extending -fno-strict-aliasing to define pointer
> > arithmetic outside of objects and overflow? I mean, we already use that,
> > we also use -fno-strict-overflow and a whole bunch of others.
> > 
> > At the very least, it would be nice to get a -W flag for when this alias
> > analysis stuff kills something so we can at least know when GCC goes and
> > defeats us.
> 
> What kind of warning do you envision?
> 
> "warning: optimized address comparison to always true/false"
> 
> ?  That would trigger all over the place.

That is indeed what I was thinking of. And I have no idea how often that
would trigger on the kernel.

I'm thinking that if this WARN isn't subject to false
positives we could live with that. Its the false positives that render
other warnings useless (too much noise on perfectly fine code etc..).

/me ponders..

So there might be a problem if this triggers in generic code due to
conditions at its use site. There we would not want to, nor could, fix
the generic code because in generic the thing would not be optimized. So
maybe we'd need an annotation still.

Hurm.