[coreboot] [RFC] Fix undefined behavior with left shifts in whole code base
rminnich at gmail.com
Tue Apr 3 18:47:32 CEST 2018
I refer you to the following code:
* structure to access an
* integer in bytes
What's the point? The point is code linke this:
lpr = (tp->t_speeds.hibyte<<10) ...
note how we're treating t_speeds like it's that anon struct above. how's
that happen? What's t_speeds?
int t_speeds; /* output+input line speed */
Wait, what? I could just take an int variable, then use an anon struct to
break it into bits? Yes, I could. This is C, 1976.
The point is, C changes over time, and so does how you use it. At some
point people realized this model was kind of dangerous, and over the
objections of many people, the inconvenience of type checking came in. The
changes in C are so pervasive that when Dennis checked, years later, the
original C compilers ... were no longer C. They would not compile.
The rule over the years is that you should always err in favor of compiler
level checking of your code, even when it adds lots of inconvenience, as
people make mistakes.
So I would actually be in favor of what paul is advocating, but not the
inconistency. To keep it consistent, I don't see that just using 1U
everywhere is that huge a deal. C is not that pretty any more, so this
little bit of ugliness doesn't strike me as a big deal. Bugs from stuff
like 3<<31 scare me more.
Just my $.02
On Fri, Feb 16, 2018 at 2:38 PM Julius Werner <jwerner at chromium.org> wrote:
> I’d really like to *enable as much warnings* as possible to let the
>> build tools *catch as much errors as possible*, and having to adapt the
>> code to work with this is in my opinion worth the effort.
> This is not just a question of whether we want to spend the one-time
> effort to adapt the code. It will be a constant readability issue going
> forward. Almost no project out there writes shifts like that and almost no
> programmer is used to reading them like that. I agree that automated
> sanitizer coverage is a very good thing, but it is not the only thing that
> matters. If a sanitizer tool forces us two rewrite code in a way that
> creates serious friction for day-to-day development, then maybe we need to
> wait until the authors of that tool add options to make it less aggressive
> in that regard. GCC has already recognized the insanity of reporting that
> construct as an error every time and thus given us the -Wshift-overflow=1 /
> -Wshift-overflow=2 distinction, so I hope the UBSAN guys may eventually get
> there as well.
> For now, I think we should deactivate the whole shift test (I'm not an
> UBSAN expert but from the documentation it sounds like
> -fno-sanitize=shift-base should work), and then we'll still get the vast
> majority of coverage without imposing excessive hoops to jump through onto
> coreboot mailing list: coreboot at coreboot.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the coreboot