All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefano Stabellini <sstabellini@kernel.org>
To: Jan Beulich <JBeulich@suse.com>
Cc: Stefano Stabellini <stefanos@xilinx.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Julien Grall <julien.grall@arm.com>,
	xen-devel <xen-devel@lists.xenproject.org>,
	nd@arm.com
Subject: Re: [PATCH v4 2/2] xen: use SYMBOL when required
Date: Wed, 2 Jan 2019 10:20:31 -0800 (PST)	[thread overview]
Message-ID: <alpine.DEB.2.10.1901021006200.800@sstabellini-ThinkPad-X260> (raw)
In-Reply-To: <5BEBD25B02000078001FBCA4@prv1-mh.provo.novell.com>

On Wed, 14 Nov 2018, Jan Beulich wrote:
> >>> On 13.11.18 at 23:02, <sstabellini@kernel.org> wrote:
> > On Tue, 13 Nov 2018, Jan Beulich wrote:
> >> >>> On 13.11.18 at 14:17, <Julien.Grall@arm.com> wrote:
> >> > On 13/11/2018 12:56, Jan Beulich wrote:
> >> >>>>> On 13.11.18 at 00:06, <sstabellini@kernel.org> wrote:
> >> >>> @@ -33,8 +33,8 @@ static int init_percpu_area(unsigned int cpu)
> >> >>>       if ( (p = alloc_xenheap_pages(PERCPU_ORDER, 0)) == NULL )
> >> >>>           return -ENOMEM;
> >> >>>   
> >> >>> -    memset(p, 0, __per_cpu_data_end - __per_cpu_start);
> >> >>> -    __per_cpu_offset[cpu] = p - __per_cpu_start;
> >> >>> +    memset(p, 0, SYMBOL(__per_cpu_data_end) - SYMBOL(__per_cpu_start));
> >> >>> +    __per_cpu_offset[cpu] = (unsigned long)p - SYMBOL(__per_cpu_start);
> >> >> 
> >> >> Can't you make SYMBOL() retain the original type, such that casts
> >> >> like this one aren't needed? As soon as the compiler doesn't know
> >> >> anymore that particular globals (or statics) are used, it can't infer
> >> >> anymore that two pointers can't possibly point into the same array.
> >> > 
> >> > If SYMBOL() keeps the original type, then you will still substract 2 
> >> > pointers. If the compiler can't infer the cannot possibly point into the 
> >> > same array, it also cannot infer they point to the same. So that would 
> >> > be undefined, right?
> >> 
> >> Undefined behavior results if you _actually_ subtract pointers pointing
> >> into different objects. Subtracting of pointers is not generally undefined.
> >> The compiler can use undefined-ness only if it can prove that both
> >> pointers do point into different objects.
> > 
> > Let's remember that we are not trying to work-around the compiler, we
> > are trying to make our code C standard compliant :-)  The compiler might
> > not be able to infer anymore that two pointers can't possibly point into
> > the same array, but we would still be not-compliant. It doesn't solve
> > our problem, especially in regards to certifications.
> 
> But then this entire patch is pointless: SYMBOL() is exclusively about
> deluding the compiler. To make the code standard compliant, you'd
> have to e.g. do away with all combined (start and end) uses (in C
> files) of symbols bounding sections. I at least cannot think of a
> standard compliant way of expressing these. Oddly enough I had
> once tried to deal with this issue (for other reasons), but the patch
> wasn't liked:
> https://lists.xenproject.org/archives/html/xen-devel/2016-08/msg02718.html
> All the remaining end symbols then could obviously go away in favor
> of using the size expressions, but as you see further C limitations
> make it necessary to use asm() for the ones which get converted.
> 
> Talking of asm()-s: C standard compliance, in a strict sense, would
> require dropping all of them as well. I'm afraid that when writing
> special purpose code like OS kernels or hypervisors are, if you
> want to avoid to resort extensively to assembly code, you'll have
> to accept to bend some of the language rules, just making sure
> that the compiler won't have means to mis-interpret the constructs
> used.
>
> > I is safer to use unsigned long as return type for SYMBOL and avoid
> > pointers comparisons completely. The code impact is very limited and
> > then we don't have to prove same or different "objectness" at all.
> 
> Well, that's one perspective to take. The other is that hidden or
> explicit casts are always a risk (and hence when reviewing code
> I'm quite picky about any ones introduced anew or even just
> retained without reason). Making constructs needing to cast
> things at least finally cast back to the original type often at least
> lowers this risk.

The new casts added actually cancel themselves out with the ones been
removed (some casts to unsigned long have been removed). I went through
the patch, these are the stats:

arch/arm: +4
arch/x86:  0
common:   -4

Overall the impact is basically null. Given the plus side of not having to
prove same or different "objectness", I think it is the best compromise
in this case. My preference is to use unsigned long as return type, as
done in this version of the patch.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2019-01-02 18:20 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-12 23:06 [PATCH v4 0/2] misc safety certification fixes Stefano Stabellini
2018-11-12 23:06 ` [PATCH v4 1/2] xen: introduce SYMBOL Stefano Stabellini
2018-11-12 23:06 ` [PATCH v4 2/2] xen: use SYMBOL when required Stefano Stabellini
2018-11-13 12:56   ` Jan Beulich
2018-11-13 13:17     ` Julien Grall
2018-11-13 13:27       ` Jan Beulich
2018-11-13 22:02         ` Stefano Stabellini
2018-11-14  7:44           ` Jan Beulich
2019-01-02 18:20             ` Stefano Stabellini [this message]
2019-01-04  8:48               ` Jan Beulich
2019-01-04 17:05                 ` Stefano Stabellini
2019-01-07  7:39                   ` Jan Beulich
2019-01-07 18:29                     ` Stefano Stabellini
2019-01-08  8:03                       ` Jan Beulich
2019-01-08 17:36                         ` Stefano Stabellini
2019-01-08 18:08                           ` Stefano Stabellini
2019-01-08 18:43                             ` Julien Grall
2019-01-09  9:39                             ` Jan Beulich
2019-01-09 23:50                               ` Stefano Stabellini
2019-01-02 18:20     ` Stefano Stabellini
2019-01-02 21:04       ` Stefano Stabellini
2019-01-03 19:22         ` Stefano Stabellini
2018-12-20 17:26 ` [PATCH v4 0/2] misc safety certification fixes Julien Grall
2018-12-21  9:27   ` Jan Beulich
2018-12-21 10:34     ` Julien Grall
2018-12-21 17:15       ` Stefano Stabellini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.10.1901021006200.800@sstabellini-ThinkPad-X260 \
    --to=sstabellini@kernel.org \
    --cc=JBeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=julien.grall@arm.com \
    --cc=nd@arm.com \
    --cc=stefanos@xilinx.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.