From: Nick Desaulniers <ndesaulniers@google.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Segher Boessenkool <segher@kernel.crashing.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-arch@vger.kernel.org, linux-toolchains@vger.kernel.org,
Masahiro Yamada <masahiroy@kernel.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] kbuild: treat char as always signed
Date: Wed, 19 Oct 2022 11:10:34 -0700 [thread overview]
Message-ID: <CAKwvOdmDz2VfU1JJkAEnPLTcx4PHH48KfZQfW6gvO6we_QbrRQ@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=whggBoH78ojE0wttyHKwuf48hrSS_X7s3D3Qd_516ayzQ@mail.gmail.com>
On Wed, Oct 19, 2022 at 10:26 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Wed, Oct 19, 2022 at 10:14 AM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > The pointer-sign thing doesn't actually help (ie it won't find places
> > where you actually compare a char), and it causes untold damage in
> > doing completely insane things.
>
> Side note: several years ago I tried to make up some sane rules to
> have 'sparse' actually be able to warn when a 'char' was used in a
> context where the sign mattered.
Do you have examples? Maybe we could turn this into a compiler feature
request. Having prior art on the problem would be a boon.
>
> I failed miserably.
>
> You actually can see some signs (heh) of that in the sparse sources,
> in that the type system actually has a bit for explicitly signed types
> ("MOD_EXPLICITLY_SIGNED"), but it ends up being almost entirely
> unused.
>
> That bit does still have one particular use: the "bitfield is
> dubiously signed" thing where sparse will complain about bitfields
> that are implicitly (but not explicitly) signed. Because people really
> expect 'int a:1' to have values 0/1, not 0/-1.
Clang's -Wbitfield-constant-conversion can catch that.
commit 5c5c2baad2b5 ("ASoC: mchp-spdiftx: Fix clang
-Wbitfield-constant-conversion")
commit eab9100d9898 ("ASoC: mchp-spdiftx: Fix clang
-Wbitfield-constant-conversion")
commit 37209783c73a ("thunderbolt: Make priority unsigned in struct tb_path")
>
> But the original intent was to find code where people used a 'char'
> that wasn't explicitly signed, and that then had architecture-defined
> behavior.
>
> I just could not come up with any even remotely sane warning
> heuristics that didn't have a metric buttload of false positives.
>
> I still have this feeling that it *should* be possible to warn about
> the situation where you end up doing an implicit type widening (ie the
> normal C "arithmetic is always done in at least 'int'") that then does
> not get narrowed down again without the upper bits ever mattering.
>
> But it needs somebody smarter than me, I'm afraid.
>
> And the fact that I don't think any other compiler has that warning
> either makes me just wonder if my feeling that it should be possible
> is just wrong.
>
> Linus
--
Thanks,
~Nick Desaulniers
next prev parent reply other threads:[~2022-10-19 18:10 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-19 16:26 [PATCH] kbuild: treat char as always signed Jason A. Donenfeld
2022-10-19 16:54 ` Segher Boessenkool
2022-10-19 17:14 ` Linus Torvalds
2022-10-19 17:26 ` Linus Torvalds
2022-10-19 18:10 ` Nick Desaulniers [this message]
2022-10-19 18:35 ` Linus Torvalds
2022-10-19 19:23 ` Andy Shevchenko
2022-10-19 19:36 ` Linus Torvalds
2022-10-19 17:43 ` Segher Boessenkool
2022-10-19 18:11 ` Linus Torvalds
2022-10-19 18:20 ` Nick Desaulniers
2022-10-19 18:56 ` Linus Torvalds
2022-10-19 19:11 ` Kees Cook
2022-10-19 19:30 ` Linus Torvalds
2022-10-19 20:35 ` Jason A. Donenfeld
2022-10-20 0:10 ` Linus Torvalds
2022-10-20 3:11 ` Jason A. Donenfeld
2022-10-19 20:15 ` Segher Boessenkool
2022-10-19 21:07 ` David Laight
2022-10-19 21:26 ` Segher Boessenkool
2022-10-20 10:41 ` Gabriel Paubert
2022-10-21 22:46 ` Linus Torvalds
2022-10-22 6:06 ` Gabriel Paubert
2022-10-22 18:16 ` Linus Torvalds
2022-10-23 20:23 ` Gabriel Paubert
2022-10-25 23:00 ` Kees Cook
2022-10-26 0:04 ` Jason A. Donenfeld
2022-10-26 15:41 ` Kees Cook
2022-10-19 19:54 ` Linus Torvalds
2022-10-19 20:23 ` Jason A. Donenfeld
2022-10-19 20:30 ` [PATCH v2] kbuild: treat char as always unsigned Jason A. Donenfeld
2022-10-19 23:56 ` Linus Torvalds
2022-10-20 0:02 ` Jason A. Donenfeld
2022-10-20 0:38 ` Linus Torvalds
2022-10-20 2:59 ` Jason A. Donenfeld
2022-10-20 18:41 ` Kees Cook
2022-10-21 1:01 ` Jason A. Donenfeld
2022-10-20 20:24 ` Segher Boessenkool
2022-10-24 9:24 ` Dan Carpenter
2022-10-24 9:30 ` Dan Carpenter
2022-10-24 16:33 ` Jason A. Donenfeld
2022-10-24 17:10 ` Linus Torvalds
2022-10-24 17:17 ` Jason A. Donenfeld
2022-10-25 19:22 ` Kalle Valo
2022-10-25 10:16 ` David Laight
2022-10-24 15:17 ` Jason A. Donenfeld
2022-12-21 14:53 ` Guenter Roeck
2022-12-21 15:05 ` Geert Uytterhoeven
2022-12-21 15:23 ` Guenter Roeck
2022-12-21 15:29 ` Rasmus Villemoes
2022-12-21 15:56 ` Guenter Roeck
2022-12-21 17:06 ` Linus Torvalds
2022-12-21 17:19 ` Guenter Roeck
2022-12-21 18:46 ` Linus Torvalds
2022-12-21 19:08 ` Linus Torvalds
2022-12-21 21:01 ` Guenter Roeck
2022-12-22 13:05 ` Geert Uytterhoeven
2022-12-22 10:41 ` David Laight
[not found] ` <f02e0ac7f2d805020a7ba66803aaff3e31b5eeff.camel@t-online.de>
2022-12-24 9:47 ` Geert Uytterhoeven
2022-12-30 11:39 ` David Laight
2022-12-30 13:13 ` David Laight
2023-01-02 8:29 ` Geert Uytterhoeven
2022-12-21 17:49 ` Andreas Schwab
2022-12-21 16:57 ` Geert Uytterhoeven
2022-10-19 20:58 ` [PATCH] kbuild: treat char as always signed David Laight
2022-10-26 0:10 ` make ctype ascii only? (was [PATCH] kbuild: treat char as always signed) Rasmus Villemoes
2022-10-26 18:10 ` Linus Torvalds
2022-10-27 7:59 ` Rasmus Villemoes
2022-10-27 18:28 ` Linus Torvalds
2022-10-20 8:39 ` [PATCH] kbuild: treat char as always signed kernel test robot
2022-10-20 16:33 ` Jason A. Donenfeld
2022-10-20 16:33 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKwvOdmDz2VfU1JJkAEnPLTcx4PHH48KfZQfW6gvO6we_QbrRQ@mail.gmail.com \
--to=ndesaulniers@google.com \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-toolchains@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=segher@kernel.crashing.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.