[PATCH v1 0/2] nolibc updates for Linux 5.20

[PATCH v1 0/2] nolibc updates for Linux 5.20

[Ammar Faizi]

Hi Willy,
Hi Paul,

Not much to do this time. Only small nolibc updates here. There are two
patches in this series.

1. Address Willy's comment about overflow checking in the multiplication
   operation [1]. This patch supports overflow checking for older
   compiler versions. Currently, we use `__builtin_mul_overflow()` that
   doesn't exist in older compiler versions. Instead of using this
   built-in, use a simple division to check for overflow in the `calloc()`
   function.

2. The compiler can warn us about wrong `printf` arguments. This patch
   enables the warnings. Currently, only two functions use this attribute:
   `printf` and `fprintf`.

Hopefully, I can send more updates for 5.21+.

Thank you!

Link: https://lore.kernel.org/lkml/20220330024114.GA18892@1wt.eu [1]
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---

Alviro Iskandar Setiawan (1):
  tools/nolibc/stdio: Add format attribute to enable printf warnings

Ammar Faizi (1):
  tools/nolibc/stdlib: Support overflow checking for older compiler versions

 tools/include/nolibc/stdio.h  | 4 ++--
 tools/include/nolibc/stdlib.h | 7 +++----
 2 files changed, 5 insertions(+), 6 deletions(-)


base-commit: 9a9e459ed0e76710f1258b6c1d4c0316b52b4b08
prerequisite-patch-id: e4a9acdc12961f2d4c6bb99e4790b8ffa9d15174
prerequisite-patch-id: 5a618e6a72c7d2beef4ba2c2cf01dadfbaf9a996
prerequisite-patch-id: 1bcffd448f6984eee80d86560af19672cd4ae716
prerequisite-patch-id: 3e31c80bd4dd532e30b4bba76e5d98647e21184b
prerequisite-patch-id: 34e531967a67791d5b3c3e071527de7235715906
prerequisite-patch-id: 14105c6ae9dcc068ddf12a7c1bf431066199b813
prerequisite-patch-id: 4299173943ea579f538da00488fb1a7b1a690a79
prerequisite-patch-id: dd85164f2ec9eb8cea64ab801abac614f9d0c8f5
prerequisite-patch-id: 2c1b940635d1564e26b9959eb57cf9fa6983cb2f
-- 
Ammar Faizi

[PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions

[Ammar Faizi]

Previously, we used __builtin_mul_overflow() to check for overflow in
the multiplication operation in the calloc() function. However, older
compiler versions don't support this built-in. This patch changes the
overflow checking mechanism to make it work on any compiler version
by using a division method to check for overflow. No functional change
intended. While in there, remove the unused variable `void *orig`.

Link: https://lore.kernel.org/lkml/20220330024114.GA18892@1wt.eu
Suggested-by: Willy Tarreau <w@1wt.eu>
Cc: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---
 tools/include/nolibc/stdlib.h | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
index 8fd32eaf8037..92378c4b9660 100644
--- a/tools/include/nolibc/stdlib.h
+++ b/tools/include/nolibc/stdlib.h
@@ -128,10 +128,9 @@ void *malloc(size_t len)
 static __attribute__((unused))
 void *calloc(size_t size, size_t nmemb)
 {
-	void *orig;
-	size_t res = 0;
+	size_t x = size * nmemb;
 
-	if (__builtin_expect(__builtin_mul_overflow(nmemb, size, &res), 0)) {
+	if (__builtin_expect(size && ((x / size) != nmemb), 0)) {
 		SET_ERRNO(ENOMEM);
 		return NULL;
 	}
@@ -140,7 +139,7 @@ void *calloc(size_t size, size_t nmemb)
 	 * No need to zero the heap, the MAP_ANONYMOUS in malloc()
 	 * already does it.
 	 */
-	return malloc(res);
+	return malloc(x);
 }
 
 static __attribute__((unused))
-- 
Ammar Faizi

[PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings

[Ammar Faizi]

From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>

When we use printf and fprintf functions from the nolibc, we don't
get any warning from the compiler if we have the wrong arguments.
For example, the following calls will compile silently:
```
  printf("%s %s\n", "aaa");
  fprintf(stdout, "%s %s\n", "xxx", 1);
```
(Note the wrong arguments).

Those calls are undefined behavior. The compiler can help us warn
about the above mistakes by adding a `printf` format attribute to
those functions declaration. This patch adds it, and now it yields
these warnings for those mistakes:
```
  warning: format `%s` expects a matching `char *` argument [-Wformat=]
  warning: format `%s` expects argument of type `char *`, but argument 4 has type `int` [-Wformat=]
```

  [ ammarfaizi2: Simplify the attribute placement. ]

Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---
 tools/include/nolibc/stdio.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index 15dedf8d0902..a3cebc4bc3ac 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -273,7 +273,7 @@ int vfprintf(FILE *stream, const char *fmt, va_list args)
 	return written;
 }
 
-static __attribute__((unused))
+static __attribute__((unused, format(printf, 2, 3)))
 int fprintf(FILE *stream, const char *fmt, ...)
 {
 	va_list args;
@@ -285,7 +285,7 @@ int fprintf(FILE *stream, const char *fmt, ...)
 	return ret;
 }
 
-static __attribute__((unused))
+static __attribute__((unused, format(printf, 1, 2)))
 int printf(const char *fmt, ...)
 {
 	va_list args;
-- 
Ammar Faizi

Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions

[Willy Tarreau]

Hi Ammar,

On Fri, May 20, 2022 at 12:21:15AM +0700, Ammar Faizi wrote:
> diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
> index 8fd32eaf8037..92378c4b9660 100644
> --- a/tools/include/nolibc/stdlib.h
> +++ b/tools/include/nolibc/stdlib.h
> @@ -128,10 +128,9 @@ void *malloc(size_t len)
>  static __attribute__((unused))
>  void *calloc(size_t size, size_t nmemb)
>  {
> -	void *orig;
> -	size_t res = 0;
> +	size_t x = size * nmemb;
>  
> -	if (__builtin_expect(__builtin_mul_overflow(nmemb, size, &res), 0)) {
> +	if (__builtin_expect(size && ((x / size) != nmemb), 0)) {

Ah, that approach is even better than mine, I'm seeing that on x86 the
compiler simply checks the overflow flag after the multiply, that's
perfect!

Acked-by: Willy Tarreau <w@1wt.eu>

Willy

Re: [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings

[Willy Tarreau]

On Fri, May 20, 2022 at 12:21:16AM +0700, Ammar Faizi wrote:
> From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> 
> When we use printf and fprintf functions from the nolibc, we don't
> get any warning from the compiler if we have the wrong arguments.
> For example, the following calls will compile silently:
> ```
>   printf("%s %s\n", "aaa");
>   fprintf(stdout, "%s %s\n", "xxx", 1);
> ```
> (Note the wrong arguments).
> 
> Those calls are undefined behavior. The compiler can help us warn
> about the above mistakes by adding a `printf` format attribute to
> those functions declaration.

I'm shocked I forgot it, I use it all the time, I'm even seeing this
as a bug fix for the series I sent. Thanks for fixing this mistake of
mine!

Acked-by: Willy Tarreau <w@1wt.eu>

Willy

Re: [PATCH v1 0/2] nolibc updates for Linux 5.20

[Willy Tarreau]

On Fri, May 20, 2022 at 12:21:14AM +0700, Ammar Faizi wrote:
> Not much to do this time. Only small nolibc updates here. There are two
> patches in this series.
> 
> 1. Address Willy's comment about overflow checking in the multiplication
>    operation [1]. This patch supports overflow checking for older
>    compiler versions. Currently, we use `__builtin_mul_overflow()` that
>    doesn't exist in older compiler versions. Instead of using this
>    built-in, use a simple division to check for overflow in the `calloc()`
>    function.
> 
> 2. The compiler can warn us about wrong `printf` arguments. This patch
>    enables the warnings. Currently, only two functions use this attribute:
>    `printf` and `fprintf`.

Paul, in summary I'm perfectly fine with the whole series, you can take it.

Thanks!
Willy

Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions

[Alviro Iskandar Setiawan]

On Fri, May 20, 2022 at 12:21 AM Ammar Faizi <ammarfaizi2@gnuweeb.org> wrote:
> Previously, we used __builtin_mul_overflow() to check for overflow in
> the multiplication operation in the calloc() function. However, older
> compiler versions don't support this built-in. This patch changes the
> overflow checking mechanism to make it work on any compiler version
> by using a division method to check for overflow. No functional change
> intended. While in there, remove the unused variable `void *orig`.
>
> Link: https://lore.kernel.org/lkml/20220330024114.GA18892@1wt.eu
> Suggested-by: Willy Tarreau <w@1wt.eu>
> Cc: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>

Reviewed-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>

tq

-- Viro

Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions

[Paul E. McKenney]

On Fri, May 20, 2022 at 06:29:56PM +0700, Alviro Iskandar Setiawan wrote:
> On Fri, May 20, 2022 at 12:21 AM Ammar Faizi <ammarfaizi2@gnuweeb.org> wrote:
> > Previously, we used __builtin_mul_overflow() to check for overflow in
> > the multiplication operation in the calloc() function. However, older
> > compiler versions don't support this built-in. This patch changes the
> > overflow checking mechanism to make it work on any compiler version
> > by using a division method to check for overflow. No functional change
> > intended. While in there, remove the unused variable `void *orig`.
> >
> > Link: https://lore.kernel.org/lkml/20220330024114.GA18892@1wt.eu
> > Suggested-by: Willy Tarreau <w@1wt.eu>
> > Cc: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> > Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
> 
> Reviewed-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> 
> tq
> 
> -- Viro

I have queued both patches with yours and Willy Tarreau's reviews
and acks.  Thank you all!

							Thanx, Paul