From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424806AbdEYSaJ (ORCPT ); Thu, 25 May 2017 14:30:09 -0400 Received: from mail-it0-f54.google.com ([209.85.214.54]:36592 "EHLO mail-it0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1034950AbdEYSaD (ORCPT ); Thu, 25 May 2017 14:30:03 -0400 MIME-Version: 1.0 In-Reply-To: <20170525120316.24473-6-abbotti@mev.co.uk> References: <20170525120316.24473-1-abbotti@mev.co.uk> <20170525120316.24473-6-abbotti@mev.co.uk> From: Kees Cook Date: Thu, 25 May 2017 11:30:01 -0700 X-Google-Sender-Auth: wyBhIhmuYdARRfhq7_pucbAYp-w Message-ID: Subject: Re: [PATCH v5 5/6] bug: split BUILD_BUG stuff out into To: Ian Abbott Cc: LKML , linux-arch , Alexander Potapenko , Andrew Morton , Arnd Bergmann , Borislav Petkov , Hidehiro Kawai , Jakub Kicinski , Johannes Berg , Michal Nazarewicz , Peter Zijlstra , Rasmus Villemoes , Steven Rostedt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 25, 2017 at 5:03 AM, Ian Abbott wrote: > Including pulls in a lot of bloat from and > that is not needed to call the BUILD_BUG() family of > macros. Split them out into their own header, . > > Also correct some checkpatch.pl errors for the BUILD_BUG_ON_ZERO() and > BUILD_BUG_ON_NULL() macros by adding parentheses around the bitfield > widths that begin with a minus sign. > > Signed-off-by: Ian Abbott Oh yes, thank you. I've had a few places where I would have liked to use BUILD_BUG_ON() but avoided it due to the header soup. :) Acked-by: Kees Cook -Kees > Cc: Andrew Morton > Cc: Kees Cook > Cc: Steven Rostedt > Cc: Peter Zijlstra > Cc: Jakub Kicinski > Cc: Rasmus Villemoes > --- > v5: Actually, there was no v1 thru v4. I called this v5 to match the > series. > --- > include/linux/bug.h | 74 +---------------------------------------- > include/linux/build_bug.h | 84 +++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 85 insertions(+), 73 deletions(-) > create mode 100644 include/linux/build_bug.h > > diff --git a/include/linux/bug.h b/include/linux/bug.h > index 483207cb99fb..5d5554c874fd 100644 > --- a/include/linux/bug.h > +++ b/include/linux/bug.h > @@ -3,6 +3,7 @@ > > #include > #include > +#include > > enum bug_trap_type { > BUG_TRAP_TYPE_NONE = 0, > @@ -13,82 +14,9 @@ enum bug_trap_type { > struct pt_regs; > > #ifdef __CHECKER__ > -#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) (0) > -#define BUILD_BUG_ON_NOT_POWER_OF_2(n) (0) > -#define BUILD_BUG_ON_ZERO(e) (0) > -#define BUILD_BUG_ON_NULL(e) ((void *)0) > -#define BUILD_BUG_ON_INVALID(e) (0) > -#define BUILD_BUG_ON_MSG(cond, msg) (0) > -#define BUILD_BUG_ON(condition) (0) > -#define BUILD_BUG() (0) > #define MAYBE_BUILD_BUG_ON(cond) (0) > #else /* __CHECKER__ */ > > -/* Force a compilation error if a constant expression is not a power of 2 */ > -#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) \ > - BUILD_BUG_ON(((n) & ((n) - 1)) != 0) > -#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \ > - BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0)) > - > -/* > - * Force a compilation error if condition is true, but also produce a > - * result (of value 0 and type size_t), so the expression can be used > - * e.g. in a structure initializer (or where-ever else comma expressions > - * aren't permitted). > - */ > -#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:(-!!(e)); })) > -#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:(-!!(e)); })) > - > -/* > - * BUILD_BUG_ON_INVALID() permits the compiler to check the validity of the > - * expression but avoids the generation of any code, even if that expression > - * has side-effects. > - */ > -#define BUILD_BUG_ON_INVALID(e) ((void)(sizeof((__force long)(e)))) > - > -/** > - * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied > - * error message. > - * @condition: the condition which the compiler should know is false. > - * > - * See BUILD_BUG_ON for description. > - */ > -#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) > - > -/** > - * BUILD_BUG_ON - break compile if a condition is true. > - * @condition: the condition which the compiler should know is false. > - * > - * If you have some code which relies on certain constants being equal, or > - * some other compile-time-evaluated condition, you should use BUILD_BUG_ON to > - * detect if someone changes it. > - * > - * The implementation uses gcc's reluctance to create a negative array, but gcc > - * (as of 4.4) only emits that error for obvious cases (e.g. not arguments to > - * inline functions). Luckily, in 4.3 they added the "error" function > - * attribute just for this type of case. Thus, we use a negative sized array > - * (should always create an error on gcc versions older than 4.4) and then call > - * an undefined function with the error attribute (should always create an > - * error on gcc 4.3 and later). If for some reason, neither creates a > - * compile-time error, we'll still have a link-time error, which is harder to > - * track down. > - */ > -#ifndef __OPTIMIZE__ > -#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) > -#else > -#define BUILD_BUG_ON(condition) \ > - BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) > -#endif > - > -/** > - * BUILD_BUG - break compile if used. > - * > - * If you have some code that you expect the compiler to eliminate at > - * build time, you should use BUILD_BUG to detect if it is > - * unexpectedly used. > - */ > -#define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed") > - > #define MAYBE_BUILD_BUG_ON(cond) \ > do { \ > if (__builtin_constant_p((cond))) \ > diff --git a/include/linux/build_bug.h b/include/linux/build_bug.h > new file mode 100644 > index 000000000000..b7d22d60008a > --- /dev/null > +++ b/include/linux/build_bug.h > @@ -0,0 +1,84 @@ > +#ifndef _LINUX_BUILD_BUG_H > +#define _LINUX_BUILD_BUG_H > + > +#include > + > +#ifdef __CHECKER__ > +#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) (0) > +#define BUILD_BUG_ON_NOT_POWER_OF_2(n) (0) > +#define BUILD_BUG_ON_ZERO(e) (0) > +#define BUILD_BUG_ON_NULL(e) ((void *)0) > +#define BUILD_BUG_ON_INVALID(e) (0) > +#define BUILD_BUG_ON_MSG(cond, msg) (0) > +#define BUILD_BUG_ON(condition) (0) > +#define BUILD_BUG() (0) > +#else /* __CHECKER__ */ > + > +/* Force a compilation error if a constant expression is not a power of 2 */ > +#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) \ > + BUILD_BUG_ON(((n) & ((n) - 1)) != 0) > +#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \ > + BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0)) > + > +/* > + * Force a compilation error if condition is true, but also produce a > + * result (of value 0 and type size_t), so the expression can be used > + * e.g. in a structure initializer (or where-ever else comma expressions > + * aren't permitted). > + */ > +#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:(-!!(e)); })) > +#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:(-!!(e)); })) > + > +/* > + * BUILD_BUG_ON_INVALID() permits the compiler to check the validity of the > + * expression but avoids the generation of any code, even if that expression > + * has side-effects. > + */ > +#define BUILD_BUG_ON_INVALID(e) ((void)(sizeof((__force long)(e)))) > + > +/** > + * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied > + * error message. > + * @condition: the condition which the compiler should know is false. > + * > + * See BUILD_BUG_ON for description. > + */ > +#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) > + > +/** > + * BUILD_BUG_ON - break compile if a condition is true. > + * @condition: the condition which the compiler should know is false. > + * > + * If you have some code which relies on certain constants being equal, or > + * some other compile-time-evaluated condition, you should use BUILD_BUG_ON to > + * detect if someone changes it. > + * > + * The implementation uses gcc's reluctance to create a negative array, but gcc > + * (as of 4.4) only emits that error for obvious cases (e.g. not arguments to > + * inline functions). Luckily, in 4.3 they added the "error" function > + * attribute just for this type of case. Thus, we use a negative sized array > + * (should always create an error on gcc versions older than 4.4) and then call > + * an undefined function with the error attribute (should always create an > + * error on gcc 4.3 and later). If for some reason, neither creates a > + * compile-time error, we'll still have a link-time error, which is harder to > + * track down. > + */ > +#ifndef __OPTIMIZE__ > +#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) > +#else > +#define BUILD_BUG_ON(condition) \ > + BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) > +#endif > + > +/** > + * BUILD_BUG - break compile if used. > + * > + * If you have some code that you expect the compiler to eliminate at > + * build time, you should use BUILD_BUG to detect if it is > + * unexpectedly used. > + */ > +#define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed") > + > +#endif /* __CHECKER__ */ > + > +#endif /* _LINUX_BUILD_BUG_H */ > -- > 2.11.0 > -- Kees Cook Pixel Security