From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932234AbdK1Ue4 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 28 Nov 2017 15:34:56 -0500
Received: from mail-ua0-f193.google.com ([209.85.217.193]:40111 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932144AbdK1Uex (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Nov 2017 15:34:53 -0500
X-Google-Smtp-Source: AGs4zMZY4cZwkSgWG6Xa4EJRykijSh1rwR3LRxg01VXJ3DlbIJz08x1iMaglcQDvNDbWQkopZMLKw+BQrr8yeHwMWOM=
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.1711282108000.2222@nanos>
References: <20171127235253.GA20384@embeddedor.com> <alpine.DEB.2.20.1711281448520.1723@nanos>
 <20171128120512.Horde.1mz61Up1PsNtyHbrjWmK8L7@gator4166.hostgator.com>
 <alpine.DEB.2.20.1711281908040.2222@nanos> <alpine.DEB.2.20.1711281911280.2222@nanos>
 <20171128122235.Horde.vFP-9ZfAP0f9BFNePB8Z8xi@gator4166.hostgator.com>
 <alpine.DEB.2.20.1711281924080.2222@nanos> <alpine.DEB.2.20.1711281933170.2222@nanos>
 <20171128190032.2b1fa464@alans-desktop> <CA+55aFw5DAB6qZu4fmDTvhU-wB4zNhUGuBBdBzMnh5d=ybBj-g@mail.gmail.com>
 <alpine.DEB.2.20.1711282108000.2222@nanos>
From: Kees Cook <keescook@chromium.org>
Date: Tue, 28 Nov 2017 12:34:51 -0800
X-Google-Sender-Auth: FZ9gNB30cThTfj84PoBbWT9FRqY
Message-ID: <CAGXu5jL7emE1nau=VJ938yVNWJp5rsigdCLbrmc533xQ7h3=iQ@mail.gmail.com>
Subject: Re: [PATCH] x86/syscalls: Mark expected switch fall-throughs
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        "Gustavo A. R. Silva" <garsilva@embeddedor.com>,
        Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 28, 2017 at 12:08 PM, Thomas Gleixner <tglx@linutronix.de> wrote:
> On Tue, 28 Nov 2017, Linus Torvalds wrote:
>
>> On Tue, Nov 28, 2017 at 11:00 AM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>> >
>> > The notation in question has been standard in tools like lint since the
>> > end of the 1970s
>>
>> Yes.
>>
>> That said, maybe one option would be to annotate the "case:" and
>> "default:" statements if that makes people happier.
>>
>> IOW, we could do something like
>>
>>     #define fallthrough __atttibute__((fallthrough))
>>
>> and then write
>>
>>     fallthrough case 1:
>>         ...
>>
>> which while absolutely not traditional, might look and read a bit more
>> logical to people. I mean, it literally _is_ a "fallthrough case", so
>> it makes semantic sense.
>>
>> Or maybe people hate that kind of "making up new syntax" too?
>
> Fine with me. Better than any comment.

One of the strong reasons to do this with comments is because it lets
us leverage existing static analyzers. The long-standard method of
marking fall-through has been with comments, and that's what the
kernel should be (and has been) doing. If we invent another method,
we'll be shooting ourselves in the foot by making it harder to spot
these cases using existing tools. Fall-through is uncommon, and it's
not a big price to carry these comments when the gain is so clear.

The most "ugly" cases of these are when the switch statement is
_entirely_ fall-through (usually for bit-width processing of some
kind), but again, they're rare in the grand scheme of things.

-Kees

-- 
Kees Cook
Pixel Security