Re: [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
To: Marc Gonzalez <marc.w.gonzalez@free.fr>
Cc: linux-media <linux-media@vger.kernel.org>
Subject: Re: [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift
Date: Fri, 23 Aug 2019 07:20:08 -0300	[thread overview]
Message-ID: <20190823072008.5ab02f4b@coco.lan> (raw)
In-Reply-To: <82b06099-f652-47e9-99b9-3bd3ec197a4e@free.fr>

Em Fri, 23 Aug 2019 11:08:15 +0200
Marc Gonzalez <marc.w.gonzalez@free.fr> escreveu:

> On 22/08/2019 21:39, Mauro Carvalho Chehab wrote:
> 
> > [PATCH 6/7] media: don't do an unsigned int with a 31 bit shift  
> 
> s/unsigned int/signed int  ?
> 
> (See below as well.)
> 
> > Doing something like:
> > 
> > 	i32 foo = 1, bar;
> > 
> > 	bar = foo << 31;  
> 
> For my information, why did you split the expression over two lines,
> instead of just using 1 << 31 in the example above?
> (Most of the cases fixed involve a literal 1)
> 
> I.e. why didn't you just say "1 << 31 has undefined behavior" ?
> 
> Maybe patch subject can also be changed to "Don't use 1 << foo" ?
> 
> > has an undefined behavior in C, as warned by cppcheck, as we're
> > shifting a signed integer.  
> 
> Not quite right. Shifting a signed integer is well-defined in some cases.
> See paragraph 4 below. For example, 1 << 8 always resolves to 256.

I meant to say that, on a 32-bits arch, where a signed integer has
31 bits and we do a 31 bit shift, it will end touching the 32th bit,
with is an undefined behavior.

I'm changing the description to:

	media: don't do a 31 bit shift on a signed int

	On 32-bits archs, a signed integer has 31 bits plus on extra
	bit for	signal.	Due to that, touching the 32th bit with something 
	like:

	        int bar = 1 << 31;

	has an undefined behavior in C on 32 bit architectures, as it
	touches	the signal bit.	This is warned by cppcheck.

	Instead, force the numbers to be unsigned, in order to solve this
	issue.

I guess this makes it clearer.

> 
>     6.5.7 Bitwise shift operators
> 
> 1   Syntax
>              shift-expression:
>                      additive-expression
>                      shift-expression << additive-expression
>                      shift-expression >> additive-expression
> 
> 2   Constraints
>     Each of the operands shall have integer type.
> 
> 3   Semantics
>     The integer promotions are performed on each of the operands. The type of the result is
>     that of the promoted left operand. If the value of the right operand is negative or is
>     greater than or equal to the width of the promoted left operand, the behavior is undefined.

The problem is here: "greater than or equal to the width of the promoted left operand".
A 31 bit shift on a 31 bits value is undefined.

In the past, we got real issues like that at the code: gcc on x86 does the shift as
expected, so:

	u32 a = 1 << 32;

it results in:

	on i386:  a = 0
	on arm:   a = 1

I've no idea how LLVM/clang implements this.

> 
> 4   The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with
>     zeros. If E1 has an unsigned type, the value of the result is E1 x 2^E2 , reduced modulo
>     one more than the maximum value representable in the result type. If E1 has a signed
>     type and non-negative value, and E1 x 2^E2 is representable in the result type, then that is
>     the resulting value; otherwise, the behavior is undefined.
> 
> 5   The result of E1 >> E2 is E1 right-shifted E2 bit positions. If E1 has an unsigned type
>     or if E1 has a signed type and a non-negative value, the value of the result is the integral
>     part of the quotient of E1 / 2^E2 . If E1 has a signed type and a negative value, the
>     resulting value is implementation-defined.
> 
> 
> > Instead, force the numbers to be unsigned, in order to solve this
> > issue.
> > 
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > ---
> >  drivers/media/dvb-frontends/cx24123.c           |  2 +-
> >  drivers/media/pci/bt8xx/bttv-input.c            |  4 ++--
> >  drivers/media/pci/cx18/cx18-ioctl.c             |  2 +-
> >  drivers/media/pci/ivtv/ivtv-driver.c            |  2 +-
> >  drivers/media/pci/ivtv/ivtv-ioctl.c             |  4 ++--
> >  drivers/media/pci/solo6x10/solo6x10-gpio.c      |  6 +++---
> >  drivers/media/platform/exynos4-is/mipi-csis.c   |  6 +++---
> >  drivers/media/platform/fsl-viu.c                |  2 +-
> >  drivers/media/platform/mx2_emmaprp.c            |  2 +-
> >  drivers/media/platform/pxa_camera.c             |  4 ++--
> >  drivers/media/platform/qcom/venus/core.c        |  2 +-
> >  drivers/media/platform/s5p-jpeg/jpeg-regs.h     | 10 +++++-----
> >  drivers/media/platform/s5p-mfc/s5p_mfc_opr_v5.c |  4 ++--
> >  drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c |  2 +-
> >  drivers/media/radio/radio-gemtek.c              |  2 +-
> >  drivers/media/usb/dvb-usb-v2/gl861.c            |  2 +-
> >  drivers/media/usb/pvrusb2/pvrusb2-hdw.c         | 14 +++++++-------
> >  drivers/media/usb/pvrusb2/pvrusb2-v4l2.c        |  4 ++--
> >  drivers/media/v4l2-core/v4l2-ioctl.c            |  2 +-
> >  19 files changed, 38 insertions(+), 38 deletions(-)
> > 
> > diff --git a/drivers/media/dvb-frontends/cx24123.c b/drivers/media/dvb-frontends/cx24123.c
> > index ac519c3eff18..3d84ee17e54c 100644
> > --- a/drivers/media/dvb-frontends/cx24123.c
> > +++ b/drivers/media/dvb-frontends/cx24123.c
> > @@ -431,7 +431,7 @@ static u32 cx24123_int_log2(u32 a, u32 b)
> >  	u32 div = a / b;
> >  	if (a % b >= b / 2)
> >  		++div;
> > -	if (div < (1 << 31)) {
> > +	if (div < (1UL << 31)) {
> >  		for (exp = 1; div > exp; nearest++)
> >  			exp += exp;
> >  	}  
> 
> Did you pick unsigned long (rather than unsigned) because that's what is used
> in the BIT macro? 

Yes.

> My concern is that UL is 64-bit wide on some platforms, and
> when used in arithmetic expressions, compiler might generate worse code.

On Linux, long size is equal to integer size, so I don't think
that this is actually a problem.

Thanks,
Mauro