From: Nathan Chancellor <nathan@kernel.org>
To: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: keescook@chromium.org, luc.vanoostenryck@gmail.com,
ndesaulniers@google.com, trix@redhat.com, dlatypov@google.com,
vitor@massaru.org, gustavoars@kernel.org,
linux-hardening@vger.kernel.org, llvm@lists.linux.dev,
jani.nikula@linux.intel.com, joonas.lahtinen@linux.intel.com,
rodrigo.vivi@intel.com, tvrtko.ursulin@linux.intel.com,
airlied@linux.ie, daniel@ffwll.ch, linux-kernel@vger.kernel.org,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-sparse@vger.kernel.org, arnd@kernel.org,
mchehab@kernel.org, mauro.chehab@linux.intel.com
Subject: Re: [PATCH v4] overflow: Introduce overflows_type() and castable_to_type()
Date: Fri, 21 Oct 2022 09:06:10 -0700 [thread overview]
Message-ID: <Y1LDctjps1M8MuK8@dev-arch.thelio-3990X> (raw)
In-Reply-To: <20221021083333.646269-1-gwan-gyeong.mun@intel.com>
Hi Gwan-gyeong,
On Fri, Oct 21, 2022 at 11:33:33AM +0300, Gwan-gyeong Mun wrote:
> From: Kees Cook <keescook@chromium.org>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Daniel Latypov <dlatypov@google.com>
> Cc: Vitor Massaru Iha <vitor@massaru.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
<snip>
> diff --git a/lib/Makefile b/lib/Makefile
> index 161d6a724ff7..e061aad90539 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
> obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
> obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
> obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
> +# We're expecting to do a lot of "always true" or "always false" tests.
> +ifdef CONFIG_CC_IS_CLANG
> +CFLAGS_overflow_kunit.o += $(call cc-disable-warning, tautological-constant-out-of-range-compare)
If you are going to wrap this in CONFIG_CC_IS_CLANG (which is good),
drop the cc-disable-warning and just disable the warning directly.
CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
All kernel supported clang versions support this warning so there is no
point in checking for its existence before disabling it with
cc-disable-warning. scripts/Makefile.extrawarn does this as well.
> +endif
> obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
> CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
> obj-$(CONFIG_ST&ACKINIT_KUNIT_TEST) += stackinit_kunit.o
Cheers,
Nathan
WARNING: multiple messages have this Message-ID (diff)
From: Nathan Chancellor <nathan@kernel.org>
To: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: airlied@linux.ie, trix@redhat.com, dlatypov@google.com,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-sparse@vger.kernel.org,
llvm@lists.linux.dev, keescook@chromium.org, arnd@kernel.org,
intel-gfx@lists.freedesktop.org, rodrigo.vivi@intel.com,
mchehab@kernel.org, tvrtko.ursulin@linux.intel.com,
mauro.chehab@linux.intel.com, ndesaulniers@google.com,
gustavoars@kernel.org, vitor@massaru.org,
luc.vanoostenryck@gmail.com
Subject: Re: [PATCH v4] overflow: Introduce overflows_type() and castable_to_type()
Date: Fri, 21 Oct 2022 09:06:10 -0700 [thread overview]
Message-ID: <Y1LDctjps1M8MuK8@dev-arch.thelio-3990X> (raw)
In-Reply-To: <20221021083333.646269-1-gwan-gyeong.mun@intel.com>
Hi Gwan-gyeong,
On Fri, Oct 21, 2022 at 11:33:33AM +0300, Gwan-gyeong Mun wrote:
> From: Kees Cook <keescook@chromium.org>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Daniel Latypov <dlatypov@google.com>
> Cc: Vitor Massaru Iha <vitor@massaru.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
<snip>
> diff --git a/lib/Makefile b/lib/Makefile
> index 161d6a724ff7..e061aad90539 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
> obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
> obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
> obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
> +# We're expecting to do a lot of "always true" or "always false" tests.
> +ifdef CONFIG_CC_IS_CLANG
> +CFLAGS_overflow_kunit.o += $(call cc-disable-warning, tautological-constant-out-of-range-compare)
If you are going to wrap this in CONFIG_CC_IS_CLANG (which is good),
drop the cc-disable-warning and just disable the warning directly.
CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
All kernel supported clang versions support this warning so there is no
point in checking for its existence before disabling it with
cc-disable-warning. scripts/Makefile.extrawarn does this as well.
> +endif
> obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
> CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
> obj-$(CONFIG_ST&ACKINIT_KUNIT_TEST) += stackinit_kunit.o
Cheers,
Nathan
WARNING: multiple messages have this Message-ID (diff)
From: Nathan Chancellor <nathan@kernel.org>
To: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: airlied@linux.ie, trix@redhat.com, dlatypov@google.com,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-sparse@vger.kernel.org,
llvm@lists.linux.dev, keescook@chromium.org, arnd@kernel.org,
intel-gfx@lists.freedesktop.org, rodrigo.vivi@intel.com,
mchehab@kernel.org, ndesaulniers@google.com,
gustavoars@kernel.org, daniel@ffwll.ch, vitor@massaru.org,
luc.vanoostenryck@gmail.com
Subject: Re: [Intel-gfx] [PATCH v4] overflow: Introduce overflows_type() and castable_to_type()
Date: Fri, 21 Oct 2022 09:06:10 -0700 [thread overview]
Message-ID: <Y1LDctjps1M8MuK8@dev-arch.thelio-3990X> (raw)
In-Reply-To: <20221021083333.646269-1-gwan-gyeong.mun@intel.com>
Hi Gwan-gyeong,
On Fri, Oct 21, 2022 at 11:33:33AM +0300, Gwan-gyeong Mun wrote:
> From: Kees Cook <keescook@chromium.org>
>
> Implement a robust overflows_type() macro to test if a variable or
> constant value would overflow another variable or type. This can be
> used as a constant expression for static_assert() (which requires a
> constant expression[1][2]) when used on constant values. This must be
> constructed manually, since __builtin_add_overflow() does not produce
> a constant expression[3].
>
> Additionally adds castable_to_type(), similar to __same_type(), but for
> checking if a constant value would overflow if cast to a given type.
>
> Add unit tests for overflows_type(), __same_type(), and castable_to_type()
> to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
>
> Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Daniel Latypov <dlatypov@google.com>
> Cc: Vitor Massaru Iha <vitor@massaru.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
<snip>
> diff --git a/lib/Makefile b/lib/Makefile
> index 161d6a724ff7..e061aad90539 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -376,6 +376,10 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
> obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
> obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
> obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o
> +# We're expecting to do a lot of "always true" or "always false" tests.
> +ifdef CONFIG_CC_IS_CLANG
> +CFLAGS_overflow_kunit.o += $(call cc-disable-warning, tautological-constant-out-of-range-compare)
If you are going to wrap this in CONFIG_CC_IS_CLANG (which is good),
drop the cc-disable-warning and just disable the warning directly.
CFLAGS_overflow_kunit.o += -Wno-tautological-constant-out-of-range-compare
All kernel supported clang versions support this warning so there is no
point in checking for its existence before disabling it with
cc-disable-warning. scripts/Makefile.extrawarn does this as well.
> +endif
> obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
> CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
> obj-$(CONFIG_ST&ACKINIT_KUNIT_TEST) += stackinit_kunit.o
Cheers,
Nathan
next prev parent reply other threads:[~2022-10-21 16:06 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-26 19:11 [PATCH v2] overflow: Introduce overflows_type() and castable_to_type() Kees Cook
2022-09-26 19:11 ` [Intel-gfx] " Kees Cook
2022-09-26 19:11 ` Kees Cook
2022-09-26 20:17 ` Nick Desaulniers
2022-09-26 20:17 ` [Intel-gfx] " Nick Desaulniers
2022-09-26 20:17 ` Nick Desaulniers
2022-09-26 21:07 ` Kees Cook
2022-09-26 21:07 ` [Intel-gfx] " Kees Cook
2022-09-26 21:07 ` Kees Cook
2022-09-27 6:45 ` Arnd Bergmann
2022-09-27 6:45 ` [Intel-gfx] " Arnd Bergmann
2022-09-27 6:45 ` Arnd Bergmann
2022-09-27 0:27 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for " Patchwork
2022-09-27 8:29 ` [PATCH v2] " Gwan-gyeong Mun
2022-09-27 8:29 ` [Intel-gfx] " Gwan-gyeong Mun
2022-09-27 8:29 ` Gwan-gyeong Mun
2022-09-27 23:36 ` [Intel-gfx] " kernel test robot
2022-09-27 23:36 ` kernel test robot
2022-09-27 23:36 ` kernel test robot
2022-09-28 8:19 ` Gwan-gyeong Mun
2022-09-28 8:19 ` [Intel-gfx] " Gwan-gyeong Mun
2022-09-28 8:19 ` Gwan-gyeong Mun
2022-09-29 3:24 ` [Intel-gfx] " kernel test robot
2022-09-29 3:24 ` kernel test robot
2022-09-29 3:24 ` kernel test robot
2022-09-29 8:32 ` kernel test robot
2022-09-29 8:32 ` kernel test robot
2022-09-29 8:32 ` kernel test robot
2022-10-13 6:49 ` [PATCH v3] " Gwan-gyeong Mun
2022-10-13 6:49 ` Gwan-gyeong Mun
2022-10-13 6:49 ` [Intel-gfx] " Gwan-gyeong Mun
2022-10-13 8:12 ` Jani Nikula
2022-10-13 8:12 ` [Intel-gfx] " Jani Nikula
2022-10-13 8:12 ` Jani Nikula
2022-10-13 8:17 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for overflow: Introduce overflows_type() and castable_to_type() (rev2) Patchwork
2022-10-21 8:33 ` [PATCH v4] overflow: Introduce overflows_type() and castable_to_type() Gwan-gyeong Mun
2022-10-21 8:33 ` [Intel-gfx] " Gwan-gyeong Mun
2022-10-21 8:33 ` Gwan-gyeong Mun
2022-10-21 16:06 ` Nathan Chancellor [this message]
2022-10-21 16:06 ` [Intel-gfx] " Nathan Chancellor
2022-10-21 16:06 ` Nathan Chancellor
2022-10-21 12:29 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for overflow: Introduce overflows_type() and castable_to_type() (rev3) Patchwork
2022-10-21 12:29 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2022-10-21 12:48 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-10-21 19:46 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2022-10-24 20:11 ` [PATCH v5] overflow: Introduce overflows_type() and castable_to_type() Gwan-gyeong Mun
2022-10-24 20:11 ` Gwan-gyeong Mun
2022-10-24 20:11 ` [Intel-gfx] " Gwan-gyeong Mun
2022-10-29 5:55 ` Gwan-gyeong Mun
2022-10-29 5:55 ` [Intel-gfx] " Gwan-gyeong Mun
2022-10-29 5:55 ` Gwan-gyeong Mun
2022-10-29 7:32 ` Kees Cook
2022-10-29 7:32 ` [Intel-gfx] " Kees Cook
2022-10-29 7:32 ` Kees Cook
2022-10-29 8:01 ` Gwan-gyeong Mun
2022-10-29 8:01 ` [Intel-gfx] " Gwan-gyeong Mun
2022-10-29 8:01 ` Gwan-gyeong Mun
2022-11-01 23:06 ` Kees Cook
2022-11-01 23:06 ` [Intel-gfx] " Kees Cook
2022-11-02 11:27 ` Gwan-gyeong Mun
2022-11-02 11:27 ` [Intel-gfx] " Gwan-gyeong Mun
2022-11-02 11:27 ` Gwan-gyeong Mun
2022-11-02 11:52 ` Rasmus Villemoes
2022-11-02 11:52 ` [Intel-gfx] " Rasmus Villemoes
2022-11-02 11:52 ` Rasmus Villemoes
2022-11-02 19:33 ` Kees Cook
2022-11-02 19:33 ` [Intel-gfx] " Kees Cook
2022-11-02 19:33 ` Kees Cook
2022-10-25 0:31 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for overflow: Introduce overflows_type() and castable_to_type() (rev4) Patchwork
2022-10-25 0:31 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2022-10-25 0:53 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1LDctjps1M8MuK8@dev-arch.thelio-3990X \
--to=nathan@kernel.org \
--cc=airlied@linux.ie \
--cc=arnd@kernel.org \
--cc=daniel@ffwll.ch \
--cc=dlatypov@google.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavoars@kernel.org \
--cc=gwan-gyeong.mun@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sparse@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luc.vanoostenryck@gmail.com \
--cc=mauro.chehab@linux.intel.com \
--cc=mchehab@kernel.org \
--cc=ndesaulniers@google.com \
--cc=rodrigo.vivi@intel.com \
--cc=trix@redhat.com \
--cc=tvrtko.ursulin@linux.intel.com \
--cc=vitor@massaru.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.