linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@transmeta.com>
To: Jamie Lokier <lk@tantalophile.demon.co.uk>
Cc: Ion Badulescu <ionut@cs.columbia.edu>, <linux-kernel@vger.kernel.org>
Subject: Re: [IDEA+RFC] Possible solution for min()/max() war
Date: Fri, 31 Aug 2001 06:54:13 -0700 (PDT)	[thread overview]
Message-ID: <Pine.LNX.4.33.0108310641320.15502-100000@penguin.transmeta.com> (raw)
In-Reply-To: <20010831133750.A25128@thefinal.cern.ch>


On Fri, 31 Aug 2001, Jamie Lokier wrote:
>
> While I agree with Linus that the above line is ugly, there is a problem
> with the original line:
>
>     if (len <= sizeof(short) || len > sizeof(*sunaddr))
>
> The problem?  Thinking this is natural, suppose you decide you only need
> to check len against sizeof(short), perhaps here, perhaps copying this
> idea to another part of the program:
>
>     if (len <= sizeof(short))
>
> _This_ code has a bug.

I agree.

The difference is subtle, and maybe too subtle.

The fact is, that _ranges_ are "stable" in different types. If a value "x"
is in the range [a,b] in type A, then it will also be in range [a,b] in
type B (assuming, of course, that 'a' and 'b' are valid values in both
types).

This is why range comparisons are different from normal comparisons.

But C doesn't have the notion of a range, which is why you can't write
(while lots of people have _tried_ to write, including in the kernel)

	a < x < b
or
	x in [a,b]

or similar. So you end up having to use a more "complex" setup, where the
individual parts might not be safe even though the totality is safe.

In fact, if gcc never becomes good enough to do that kind of range
checking, I won't be _too_ unhappy. I selected a special example on bad
grounds - it's not actually the most common case of range checking, and
the most common case by far tends to be something like

	if (len < 0)
		return -EINVAL;

	if (len > sizeof(buffer))
		len = sizeof(buffer);

	copy_from_user(buffer, ..., len);

where the operation is safe for _another_ range check reason, namely the
fact that we check that "len" is within the domain of the second check.

Right now gcc will complain about the second comparison, exactly because
gcc does not do range analysis.

Now, the good news is that gcc people have already worked on range
analysis, because it is very useful for other things too (not the least of
which is optimization). So I bet gcc _will_ be able to do a much better
job of this in the future, and if we have to help it by hand in only a few
places, then that will be a good thing.

However, right now gcc complains _way_ too much about perfectly valid and
good code. If it was a few small cases, I'd be happy to fix them in the
kernel. But last time I tried -Wsign-compare, the false positives were
just too damn numerous.

(Now, we may have fixed some of them anyway, and I haven't tried it in a
_loong_ time. If somebody decides to try to see what happens if you try to
clean them up, that would probably not be a bad idea per se. Proving me
wrong is always a good sport ;)

			Linus


  reply	other threads:[~2001-08-31 14:40 UTC|newest]

Thread overview: 159+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-08-24 22:42 [IDEA+RFC] Possible solution for min()/max() war Brad Chapman
2001-08-24 23:21 ` Ben LaHaise
2001-08-24 23:58   ` Brad Chapman
2001-08-25  0:13     ` Alexander Viro
2001-08-25  0:25       ` Brad Chapman
2001-08-25  0:34         ` Alexander Viro
2001-08-25  0:53           ` Brad Chapman
2001-08-25  1:15             ` Alexander Viro
2001-08-25 11:21               ` Brad Chapman
2001-08-27  0:02               ` Rusty Russell
2001-08-28  4:59                 ` Linus Torvalds
2001-08-28  5:20                   ` Alexander Viro
2001-08-28  5:51                     ` Linus Torvalds
2001-08-28 11:10                       ` Alan Cox
2001-08-28 14:15                         ` Linus Torvalds
2001-08-28 20:06                         ` John Alvord
2001-08-28 12:42                   ` Roman Zippel
2001-08-28 13:27                     ` Linus Torvalds
2001-08-28 14:19                       ` Roman Zippel
2001-08-28 15:14                         ` Linus Torvalds
2001-08-28 15:44                           ` Henning P. Schmiedehausen
2001-08-28 15:55                             ` Russell King
2001-08-28 16:05                             ` Alan Cox
2001-08-28 16:53                               ` Roman Zippel
2001-08-28 16:39                           ` Roman Zippel
2001-08-28 21:51                             ` Mike Castle
2001-08-29  0:33                           ` Daniel Phillips
2001-08-29  1:13                             ` Linus Torvalds
2001-08-29 15:42                               ` Daniel Phillips
2001-08-29 16:02                                 ` David Lang
2001-08-29 23:49                                   ` Daniel Phillips
2001-08-30  2:05                                     ` Bill Rugolsky Jr.
2001-08-30  3:28                                     ` Linus Torvalds
2001-08-30 13:10                                       ` Ion Badulescu
2001-08-30 13:17                                         ` David Woodhouse
2001-08-30 13:26                                           ` Ion Badulescu
2001-08-30 16:09                                         ` Linus Torvalds
2001-08-30 16:28                                           ` Ion Badulescu
2001-08-31 12:50                                             ` Jamie Lokier
2001-08-31 13:45                                               ` Roman Zippel
2001-08-31 16:27                                                 ` Jamie Lokier
2001-08-30 16:31                                           ` Ben LaHaise
2001-08-30 16:38                                           ` Peter T. Breuer
2001-08-30 19:51                                             ` David Weinehall
2001-08-30 20:16                                               ` Peter T. Breuer
2001-08-30 20:31                                               ` Daniel Phillips
     [not found]                                             ` <mit.lcs.mail.linux-kernel/200108301638.SAA04923@nbd.it.uc3m.es>
2001-08-30 22:42                                               ` Patrick J. LoPresti
2001-08-30 23:27                                                 ` Peter T. Breuer
2001-08-31  0:55                                                   ` Linus Torvalds
2001-08-31  1:28                                                     ` Peter T. Breuer
2001-08-31 13:22                                                     ` Peter T. Breuer
2001-08-31 14:02                                                       ` Linus Torvalds
2001-08-31 15:34                                                         ` Peter T. Breuer
2001-08-31 22:25                                                         ` [PATCH] i386 SA_INTERRUPT logic Jonathan Lundell
2001-08-31 12:01                                                   ` [IDEA+RFC] Possible solution for min()/max() war Roman Zippel
2001-08-31 12:13                                                     ` Peter T. Breuer
2001-08-31 12:58                                                       ` Roman Zippel
2001-08-31 13:29                                                         ` Peter T. Breuer
2001-08-31 14:12                                                           ` Roman Zippel
2001-08-31 14:28                                                             ` Peter T. Breuer
2001-08-31 16:30                                                               ` Roman Zippel
2001-09-07  0:52                                                   ` Bill Pringlemeir
2001-09-07  7:26                                                     ` Peter T. Breuer
2001-09-07 12:28                                                       ` Horst von Brand
2001-09-07 18:03                                                         ` Mark H. Wood
2001-09-07 10:58                                                     ` Peter T. Breuer
2001-09-07 14:39                                                       ` Bill Pringlemeir
2001-09-07 15:17                                                         ` Peter T. Breuer
2001-08-30 13:49                                       ` Roman Zippel
2001-08-30 16:21                                         ` Linus Torvalds
2001-08-30 16:41                                           ` Christopher Friesen
2001-08-30 16:50                                             ` Linus Torvalds
2001-08-30 17:13                                           ` Roman Zippel
2001-08-31  1:28                                           ` Ion Badulescu
2001-08-31  5:08                                             ` Linus Torvalds
2001-08-31 12:37                                               ` Jamie Lokier
2001-08-31 13:54                                                 ` Linus Torvalds [this message]
2001-08-30 17:01                                       ` Daniel Phillips
2001-08-30 17:03                                         ` Peter T. Breuer
2001-08-30 17:26                                           ` Daniel Phillips
2001-08-31  8:04                                           ` Kai Henningsen
2001-08-30 21:16                                         ` Graham Murray
2001-08-30 21:47                                           ` David Weinehall
2001-08-31 10:10                                             ` Helge Hafting
     [not found]                                           ` <mit.lcs.mail.linux-kernel/m266b51c5c.fsf@barnowl.demon.co.uk>
2001-08-30 22:26                                             ` Patrick J. LoPresti
2001-08-28 16:09                         ` Andreas Schwab
2001-08-28 16:47                           ` Roman Zippel
2001-08-28 17:12                             ` Bill Rugolsky Jr.
2001-08-28 17:28                               ` Roman Zippel
2001-08-28 17:29                           ` Richard B. Johnson
2001-08-26 17:59             ` Bill Pringlemeir
2001-08-24 23:59   ` Brad Chapman
2001-08-25  0:07   ` David S. Miller
2001-08-25  0:18     ` Brad Chapman
2001-08-25  0:23     ` David S. Miller
     [not found] <20010825021651.I8296@router.ranmachan.dyndns.org>
2001-08-25  0:21 ` Brad Chapman
     [not found] <20010825024248.J8296@router.ranmachan.dyndns.org>
2001-08-25  0:54 ` Brad Chapman
     [not found] <200108281746.f7SHk1O27199@lists.us.dell.com>
2001-08-28 19:33 ` Brad Chapman
2001-08-28 19:02   ` David Lang
2001-08-28 20:38     ` Brad Chapman
2001-08-28 19:25       ` David Lang
2001-08-28 20:34   ` Andreas Schwab
2001-08-28 20:42     ` Brad Chapman
2001-08-28 21:04       ` Christopher Friesen
2001-08-29  9:03       ` Helge Hafting
2001-08-29  1:33 Ignacio Vazquez-Abrams
     [not found] <200108291905.f7TJ59T11456@wildsau.idv-edu.uni-linz.ac.at>
2001-08-29 19:11 ` Herbert Rosmanith
2001-08-30  9:56 Herbert Rosmanith
2001-08-30 13:09 ` Helge Hafting
2001-08-30 17:32 mike_phillips
2001-08-30 17:45 ` Ion Badulescu
2001-08-30 20:35 Herbert Rosmanith
2001-08-30 20:44 Herbert Rosmanith
2001-08-30 21:06 ` Peter T. Breuer
2001-08-30 21:14   ` David Woodhouse
2001-08-30 21:32     ` Peter T. Breuer
2001-08-30 21:47       ` David Woodhouse
2001-08-30 21:56         ` Peter T. Breuer
2001-08-30 22:13           ` David Woodhouse
2001-08-30 22:47             ` Peter T. Breuer
2001-08-30 23:02               ` David Woodhouse
2001-08-31  0:08           ` Daniel Phillips
2001-08-30 21:49       ` Mark Zealey
2001-08-30 22:06         ` Peter T. Breuer
2001-08-30 22:14           ` Mark Zealey
2001-08-31  7:04   ` Herbert Rosmanith
2001-08-30 21:17 ` Richard B. Johnson
2001-08-30 21:45   ` Thomas Dodd
2001-08-30 21:46   ` Peter T. Breuer
2001-08-30 23:16   ` David Woodhouse
2001-08-30 23:33   ` David Wagner
2001-08-31 11:18   ` Bernd Schmidt
     [not found] <791753058.999219857@[169.254.198.40]>
2001-08-31  0:57 ` Peter T. Breuer
     [not found] <20010830174227.A10673@furble>
2001-08-31  1:19 ` Peter T. Breuer
2001-08-31  2:10   ` Peter T. Breuer
2001-08-31  7:43   ` Jonathan Lundell
2001-08-31  8:27     ` Alex Bligh - linux-kernel
2001-08-31  2:34 Andy Chou
2001-08-31  2:48 Rick Hohensee
2001-08-31 14:28 Martin Knoblauch
2001-08-31 14:28 Herbert Rosmanith
2001-08-31 14:37 ` Herbert Rosmanith
     [not found] <fa.ehba65v.10i6abc@ifi.uio.no>
     [not found] ` <fa.odqvefv.g4k4j6@ifi.uio.no>
2001-08-31 15:45   ` ctm
2001-08-31 16:57     ` Roman Zippel
2001-08-31 17:41 Herbert Rosmanith
2001-08-31 17:57 ` Rik van Riel
2001-08-31 18:13 Herbert Rosmanith
2001-08-31 18:24 Herbert Rosmanith
2001-08-31 18:29 Andy Chou
2001-08-31 18:52 ` Roman Zippel
     [not found] <fa.eeq0k8v.1v28iaa@ifi.uio.no>
2001-08-31 18:40 ` Ted Unangst
2001-09-03 20:35 David desJardins
2001-09-04  8:08 ` VDA
2001-09-03 23:16 David desJardins
2001-09-04  9:09 VDA
2001-09-04 13:17 Petr Vandrovec
2001-09-06  1:51 Rick Hohensee
2001-09-06 10:12 ` VDA
     [not found] <m2bskndlkt.fsf@sympatico.ca>
2001-09-07 17:39 ` Peter T. Breuer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.33.0108310641320.15502-100000@penguin.transmeta.com \
    --to=torvalds@transmeta.com \
    --cc=ionut@cs.columbia.edu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lk@tantalophile.demon.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).