From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
To: Marc Gonzalez <marc.w.gonzalez@free.fr>
Cc: linux-media <linux-media@vger.kernel.org>
Subject: Re: [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift
Date: Fri, 23 Aug 2019 07:20:08 -0300 [thread overview]
Message-ID: <20190823072008.5ab02f4b@coco.lan> (raw)
In-Reply-To: <82b06099-f652-47e9-99b9-3bd3ec197a4e@free.fr>
Em Fri, 23 Aug 2019 11:08:15 +0200
Marc Gonzalez <marc.w.gonzalez@free.fr> escreveu:
> On 22/08/2019 21:39, Mauro Carvalho Chehab wrote:
>
> > [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift
>
> s/unsigned int/signed int ?
>
> (See below as well.)
>
> > Doing something like:
> >
> > i32 foo = 1, bar;
> >
> > bar = foo << 31;
>
> For my information, why did you split the expression over two lines,
> instead of just using 1 << 31 in the example above?
> (Most of the cases fixed involve a literal 1)
>
> I.e. why didn't you just say "1 << 31 has undefined behavior" ?
>
> Maybe patch subject can also be changed to "Don't use 1 << foo" ?
>
> > has an undefined behavior in C, as warned by cppcheck, as we're
> > shifting a signed integer.
>
> Not quite right. Shifting a signed integer is well-defined in some cases.
> See paragraph 4 below. For example, 1 << 8 always resolves to 256.
I meant to say that, on a 32-bits arch, where a signed integer has
31 bits and we do a 31 bit shift, it will end touching the 32th bit,
with is an undefined behavior.
I'm changing the description to:
media: don't do a 31 bit shift on a signed int
On 32-bits archs, a signed integer has 31 bits plus on extra
bit for signal. Due to that, touching the 32th bit with something
like:
int bar = 1 << 31;
has an undefined behavior in C on 32 bit architectures, as it
touches the signal bit. This is warned by cppcheck.
Instead, force the numbers to be unsigned, in order to solve this
issue.
I guess this makes it clearer.
>
> 6.5.7 Bitwise shift operators
>
> 1 Syntax
> shift-expression:
> additive-expression
> shift-expression << additive-expression
> shift-expression >> additive-expression
>
> 2 Constraints
> Each of the operands shall have integer type.
>
> 3 Semantics
> The integer promotions are performed on each of the operands. The type of the result is
> that of the promoted left operand. If the value of the right operand is negative or is
> greater than or equal to the width of the promoted left operand, the behavior is undefined.
The problem is here: "greater than or equal to the width of the promoted left operand".
A 31 bit shift on a 31 bits value is undefined.
In the past, we got real issues like that at the code: gcc on x86 does the shift as
expected, so:
u32 a = 1 << 32;
it results in:
on i386: a = 0
on arm: a = 1
I've no idea how LLVM/clang implements this.
>
> 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with
> zeros. If E1 has an unsigned type, the value of the result is E1 x 2^E2 , reduced modulo
> one more than the maximum value representable in the result type. If E1 has a signed
> type and non-negative value, and E1 x 2^E2 is representable in the result type, then that is
> the resulting value; otherwise, the behavior is undefined.
>
> 5 The result of E1 >> E2 is E1 right-shifted E2 bit positions. If E1 has an unsigned type
> or if E1 has a signed type and a non-negative value, the value of the result is the integral
> part of the quotient of E1 / 2^E2 . If E1 has a signed type and a negative value, the
> resulting value is implementation-defined.
>
>
> > Instead, force the numbers to be unsigned, in order to solve this
> > issue.
> >
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > ---
> > drivers/media/dvb-frontends/cx24123.c | 2 +-
> > drivers/media/pci/bt8xx/bttv-input.c | 4 ++--
> > drivers/media/pci/cx18/cx18-ioctl.c | 2 +-
> > drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
> > drivers/media/pci/ivtv/ivtv-ioctl.c | 4 ++--
> > drivers/media/pci/solo6x10/solo6x10-gpio.c | 6 +++---
> > drivers/media/platform/exynos4-is/mipi-csis.c | 6 +++---
> > drivers/media/platform/fsl-viu.c | 2 +-
> > drivers/media/platform/mx2_emmaprp.c | 2 +-
> > drivers/media/platform/pxa_camera.c | 4 ++--
> > drivers/media/platform/qcom/venus/core.c | 2 +-
> > drivers/media/platform/s5p-jpeg/jpeg-regs.h | 10 +++++-----
> > drivers/media/platform/s5p-mfc/s5p_mfc_opr_v5.c | 4 ++--
> > drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c | 2 +-
> > drivers/media/radio/radio-gemtek.c | 2 +-
> > drivers/media/usb/dvb-usb-v2/gl861.c | 2 +-
> > drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 14 +++++++-------
> > drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 4 ++--
> > drivers/media/v4l2-core/v4l2-ioctl.c | 2 +-
> > 19 files changed, 38 insertions(+), 38 deletions(-)
> >
> > diff --git a/drivers/media/dvb-frontends/cx24123.c b/drivers/media/dvb-frontends/cx24123.c
> > index ac519c3eff18..3d84ee17e54c 100644
> > --- a/drivers/media/dvb-frontends/cx24123.c
> > +++ b/drivers/media/dvb-frontends/cx24123.c
> > @@ -431,7 +431,7 @@ static u32 cx24123_int_log2(u32 a, u32 b)
> > u32 div = a / b;
> > if (a % b >= b / 2)
> > ++div;
> > - if (div < (1 << 31)) {
> > + if (div < (1UL << 31)) {
> > for (exp = 1; div > exp; nearest++)
> > exp += exp;
> > }
>
> Did you pick unsigned long (rather than unsigned) because that's what is used
> in the BIT macro?
Yes.
> My concern is that UL is 64-bit wide on some platforms, and
> when used in arithmetic expressions, compiler might generate worse code.
On Linux, long size is equal to integer size, so I don't think
that this is actually a problem.
Thanks,
Mauro
next prev parent reply other threads:[~2019-08-23 10:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-22 19:39 [PATCH 1/7] media: remove include stdarg.h from some drivers Mauro Carvalho Chehab
2019-08-22 19:39 ` [PATCH 2/7] media: vicodec: make life easier for static analyzers Mauro Carvalho Chehab
2019-08-22 19:39 ` [PATCH 3/7] media: aspeed-video: address a protential usage of an unit var Mauro Carvalho Chehab
2019-08-26 15:12 ` Eddie James
2019-08-22 19:39 ` [PATCH 4/7] media: ov9650: add a sanity check Mauro Carvalho Chehab
2019-08-23 10:33 ` Sylwester Nawrocki
2019-08-22 19:39 ` [PATCH 5/7] media: use the BIT() macro Mauro Carvalho Chehab
2019-08-23 0:08 ` Laurent Pinchart
2019-08-23 9:47 ` [PATCH v2 " Mauro Carvalho Chehab
2019-08-23 10:22 ` Sylwester Nawrocki
2019-08-23 12:12 ` Benoit Parrot
2019-08-23 20:45 ` Laurent Pinchart
2019-08-22 19:39 ` [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift Mauro Carvalho Chehab
2019-08-23 9:08 ` Marc Gonzalez
2019-08-23 10:20 ` Mauro Carvalho Chehab [this message]
2019-08-23 11:09 ` Marc Gonzalez
2019-08-29 17:03 ` Kees Cook
2019-08-22 19:39 ` [PATCH 7/7] media: ngene: don't try to memcpy from NULL Mauro Carvalho Chehab
2019-08-22 19:43 ` Mauro Carvalho Chehab
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190823072008.5ab02f4b@coco.lan \
--to=mchehab+samsung@kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=marc.w.gonzalez@free.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).