Re: [GIT PULL] Enable -Wimplicit-fallthrough for Clang for 5.14-rc7

From: Nathan Chancellor <nathan@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	linux-hardening@vger.kernel.org
Subject: Re: [GIT PULL] Enable -Wimplicit-fallthrough for Clang for 5.14-rc7
Date: Thu, 19 Aug 2021 13:17:54 -0700	[thread overview]
Message-ID: <9ef3265b-a5e7-d21b-68a8-ad137ac6ebfd@kernel.org> (raw)
In-Reply-To: <CAHk-=whXUJbqhjkRSjOQ2Tm5OmyKv3_JUTh8pxxvykGaC+fM0Q@mail.gmail.com>

On 8/19/2021 12:19 PM, Linus Torvalds wrote:
> On Wed, Aug 18, 2021 at 9:02 PM Gustavo A. R. Silva
> <gustavoars@kernel.org> wrote:
>>
>> Enable -Wimplicit-fallthrough for Clang for 5.14-rc7
> 
> No. Much too late in the release, particularly knowing that we have
> Clang pre-releases that claim to be 14.0.0 and get this wrong.
> 
> So no way does this happen like this.
> 
> That's doubly true since the clang support for this all adds exactly
> _zero_ upside, only downside: we made the gcc checks be stricter, and
> gcc ends up having (a) more wide coverage and (b) doesn't have the
> bugs clang has.

For what it's worth, clang's version of -Wimplicit-fallthrough would 
have caught the bug in commit 652b44453ea9 ("habanalabs/gaudi: fix 
missing code in ECC handling"). Yes, small fix in the sea of patches 
that were needed to address clang's more pedantic version of the warning 
but this version of the warning is completely in line with the kernel's 
stance of switch statements in Documentation/process/deprecated.rst:

"All switch/case blocks must end in one of:

* break;
* fallthrough;
* continue;
* goto <label>;
* return [expression];"

> Honestly, I think the clang "version 14 or more" check is simply
> buggy. We *know* that check fails. Don't do it.
> 
> Make it "strictly more than 14.0.0" which hopefully doesn't fail, is
> cheap and easy, and which will make clang work correctly in the not
> too distant future.

Just to give some more context, Clang is not like GCC where x.0.0 is the 
development version and x.1.0 is the stable release. The first stable 
version of clang-14 will be clang 14.0.0 when it is released, just as it 
is now, so making it "strictly more than 14.0.0" will just delay 
enabling this even more despite the issue being fixed now. Intel already 
upgraded the clang they use for testing to one that is fixed and Mark 
Brown said Arm does testing with clang-14 but they regularly upgrade as 
well. Nobody should get bitten by this check in its current form unless 
they are not upgrading their development version of clang but in that 
case, they are doing it wrong to begin with in my opinion (would it not 
be the same as someone using v5.13-rc1 when v5.13-rc6 is out?)

If we waited until the next merge window, that would certainly give 
various entities enough time to upgrade their pre-release versions.

However, if you are truly opposed to a version check, can we at least 
just check for the presence of -Wunreachable-code-fallthrough as I 
suggested before? Yes, it is slightly more expensive as we have to call 
the compiler rather than using make builtins but then your concern of 
-Wimplicit-fallthrough getting enabled when it is buggy is completely 
addressed and people who have a fixed toolchain get access to the 
warning now.

Cheers,
Nathan