From: David Laight <David.Laight@ACULAB.COM>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
'Andy Shevchenko' <andriy.shevchenko@linux.intel.com>,
'Andrew Morton' <akpm@linux-foundation.org>,
"'Matthew Wilcox (Oracle)'" <willy@infradead.org>,
'Christoph Hellwig' <hch@infradead.org>,
"'Jason A. Donenfeld'" <Jason@zx2c4.com>
Subject: [PATCH next v4 2/5] minmax: Allow min()/max()/clamp() if the arguments have the same signedness.
Date: Mon, 18 Sep 2023 08:17:15 +0000 [thread overview]
Message-ID: <fe7e6c542e094bfca655abcd323c1c98@AcuMS.aculab.com> (raw)
In-Reply-To: <b97faef60ad24922b530241c5d7c933c@AcuMS.aculab.com>
The type-check in min()/max() is there to stop unexpected results if a
negative value gets converted to a large unsigned value.
However it also rejects 'unsigned int' v 'unsigned long' compares
which are common and never problematc.
Replace the 'same type' check with a 'same signedness' check.
The new test isn't itself a compile time error, so use static_assert()
to report the error and give a meaningful error message.
Due to the way builtin_choose_expr() works detecting the error in the
'non-constant' side (where static_assert() can be used) also detects
errors when the arguments are constant.
Signed-off-by: David Laight <david.laight@aculab.com>
---
V4: No change.
v3:
- Wrap is_signed_type() in __builtin_choose_expr() and __is_constexpr().
Generates a compile-time 0 for pointer types avoiding a bug in clang < 16.
v2:
- #include <linux/build_bug.h> to fix 'um' build.
This matches a separate commit from Andy.
- Do not delete __typecheck() - used outside this file.
- Use __builtin_choose_expr() in __clamp_once() to fix clang builds.
include/linux/minmax.h | 61 +++++++++++++++++++++++-------------------
1 file changed, 33 insertions(+), 28 deletions(-)
diff --git a/include/linux/minmax.h b/include/linux/minmax.h
index 0e89c78810f6..a3705eb2dc3e 100644
--- a/include/linux/minmax.h
+++ b/include/linux/minmax.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_MINMAX_H
#define _LINUX_MINMAX_H
+#include <linux/build_bug.h>
#include <linux/const.h>
#include <linux/types.h>
@@ -10,9 +11,8 @@
*
* - avoid multiple evaluations of the arguments (so side-effects like
* "x++" happen only once) when non-constant.
- * - perform strict type-checking (to generate warnings instead of
- * nasty runtime surprises). See the "unnecessary" pointer comparison
- * in __typecheck().
+ * - perform signed v unsigned type-checking (to generate compile
+ * errors instead of nasty runtime surprises).
* - retain result as a constant expressions when called with only
* constant expressions (to avoid tripping VLA warnings in stack
* allocation usage).
@@ -20,23 +20,30 @@
#define __typecheck(x, y) \
(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
-#define __no_side_effects(x, y) \
- (__is_constexpr(x) && __is_constexpr(y))
+/* is_signed_type() isn't a constexpr for pointer types */
+#define __is_signed(x) \
+ __builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))), \
+ is_signed_type(typeof(x)), 0)
-#define __safe_cmp(x, y) \
- (__typecheck(x, y) && __no_side_effects(x, y))
+#define __types_ok(x, y) \
+ (__is_signed(x) == __is_signed(y))
-#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
+#define __cmp_op_min <
+#define __cmp_op_max >
-#define __cmp_once(x, y, unique_x, unique_y, op) ({ \
+#define __cmp(op, x, y) ((x) __cmp_op_##op (y) ? (x) : (y))
+
+#define __cmp_once(op, x, y, unique_x, unique_y) ({ \
typeof(x) unique_x = (x); \
typeof(y) unique_y = (y); \
- __cmp(unique_x, unique_y, op); })
+ static_assert(__types_ok(x, y), \
+ #op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \
+ __cmp(op, unique_x, unique_y); })
-#define __careful_cmp(x, y, op) \
- __builtin_choose_expr(__safe_cmp(x, y), \
- __cmp(x, y, op), \
- __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
+#define __careful_cmp(op, x, y) \
+ __builtin_choose_expr(__is_constexpr((x) - (y)), \
+ __cmp(op, x, y), \
+ __cmp_once(op, x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y)))
#define __clamp(val, lo, hi) \
((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val)))
@@ -45,17 +52,15 @@
typeof(val) unique_val = (val); \
typeof(lo) unique_lo = (lo); \
typeof(hi) unique_hi = (hi); \
+ static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), \
+ (lo) <= (hi), true), \
+ "clamp() low limit " #lo " greater than high limit " #hi); \
+ static_assert(__types_ok(val, lo), "clamp() 'lo' signedness error"); \
+ static_assert(__types_ok(val, hi), "clamp() 'hi' signedness error"); \
__clamp(unique_val, unique_lo, unique_hi); })
-#define __clamp_input_check(lo, hi) \
- (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \
- __is_constexpr((lo) > (hi)), (lo) > (hi), false)))
-
#define __careful_clamp(val, lo, hi) ({ \
- __clamp_input_check(lo, hi) + \
- __builtin_choose_expr(__typecheck(val, lo) && __typecheck(val, hi) && \
- __typecheck(hi, lo) && __is_constexpr(val) && \
- __is_constexpr(lo) && __is_constexpr(hi), \
+ __builtin_choose_expr(__is_constexpr((val) - (lo) + (hi)), \
__clamp(val, lo, hi), \
__clamp_once(val, lo, hi, __UNIQUE_ID(__val), \
__UNIQUE_ID(__lo), __UNIQUE_ID(__hi))); })
@@ -65,14 +70,14 @@
* @x: first value
* @y: second value
*/
-#define min(x, y) __careful_cmp(x, y, <)
+#define min(x, y) __careful_cmp(min, x, y)
/**
* max - return maximum of two values of the same or compatible types
* @x: first value
* @y: second value
*/
-#define max(x, y) __careful_cmp(x, y, >)
+#define max(x, y) __careful_cmp(max, x, y)
/**
* umin - return minimum of two non-negative values
@@ -81,7 +86,7 @@
* @y: second value
*/
#define umin(x, y) \
- __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <)
+ __careful_cmp(min, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
/**
* umax - return maximum of two non-negative values
@@ -89,7 +94,7 @@
* @y: second value
*/
#define umax(x, y) \
- __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >)
+ __careful_cmp(max, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
/**
* min3 - return minimum of three values
@@ -141,7 +146,7 @@
* @x: first value
* @y: second value
*/
-#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
+#define min_t(type, x, y) __careful_cmp(min, (type)(x), (type)(y))
/**
* max_t - return maximum of two values, using the specified type
@@ -149,7 +154,7 @@
* @x: first value
* @y: second value
*/
-#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >)
+#define max_t(type, x, y) __careful_cmp(max, (type)(x), (type)(y))
/*
* Remove a const qualifier from integer types
--
2.17.1
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2023-09-18 8:22 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-18 8:14 [PATCH next v4 0/5] minmax: Relax type checks in min() and max() David Laight
2023-09-18 8:16 ` [PATCH next v4 1/5] minmax: Add umin(a, b) and umax(a, b) David Laight
2024-01-12 12:49 ` Dan Carpenter
2024-01-12 13:40 ` David Laight
2024-01-12 14:03 ` Dan Carpenter
2024-01-12 14:26 ` David Laight
2024-01-18 10:30 ` Dan Carpenter
2023-09-18 8:17 ` David Laight [this message]
2023-09-18 8:17 ` [PATCH next v4 3/5] minmax: Fix indentation of __cmp_once() and __clamp_once() David Laight
2023-09-18 8:18 ` [PATCH next v4 4/5] minmax: Allow comparisons of 'int' against 'unsigned char/short' David Laight
2023-09-18 8:19 ` [PATCH next v4 5/5] minmax: Relax check to allow comparison between unsigned arguments and signed constants David Laight
2023-09-27 17:30 ` [PATCH next v4 0/5] minmax: Relax type checks in min() and max() Andrew Morton
2023-09-28 8:10 ` David Laight
2024-01-08 11:46 ` Jiri Slaby
2024-01-08 13:34 ` David Laight
2024-01-08 18:19 ` Linus Torvalds
2024-01-08 20:04 ` Linus Torvalds
2024-01-08 21:11 ` Linus Torvalds
2024-01-09 0:39 ` [PATCH next v4 0/5] minmax: Relax type checks in min() and max().^[[C John Stoffel
2024-01-09 6:54 ` [PATCH next v4 0/5] minmax: Relax type checks in min() and max() Jiri Slaby
2024-01-10 6:17 ` Stephen Rothwell
2024-01-10 9:03 ` David Laight
2024-01-10 19:35 ` Linus Torvalds
2024-01-10 22:58 ` David Laight
2024-01-20 21:33 ` Linus Torvalds
2024-01-21 22:18 ` David Laight
2024-01-09 9:35 ` David Laight
2024-01-09 9:41 ` David Laight
2024-01-09 12:09 ` Kalle Valo
2024-01-19 7:14 ` Jiri Slaby
2024-01-19 8:23 ` Hans Verkuil
2024-01-19 9:14 ` David Laight
2024-01-12 9:13 ` Dan Carpenter
2024-01-12 12:16 ` David Laight
2024-01-12 12:40 ` Dan Carpenter
2023-09-18 22:00 [PATCH next v4 2/5] minmax: Allow min()/max()/clamp() if the arguments have the same signedness kernel test robot
2023-09-18 22:51 kernel test robot
2023-09-19 2:28 kernel test robot
2023-09-20 20:42 kernel test robot
2023-09-22 13:13 kernel test robot
2023-09-26 6:27 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe7e6c542e094bfca655abcd323c1c98@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.