Re: [PATCH v2 2/2] linux/bits.h: Add compile time sanity check of GENMASK inputs

From: Joe Perches
Date: Thu Aug 01 2019 - 19:14:18 EST

Next message: Michael Chan: "Re: [PATCH 2/2] cnic: Use refcount_t for refcount"
Previous message: Leonardo Bras: "[PATCH 1/1] pseries/hotplug-memory.c: Change rc variable to bool"
In reply to: Rikard Falkeborn: "[PATCH v2 2/2] linux/bits.h: Add compile time sanity check of GENMASK inputs"
Next in thread: Guenter Roeck: "Re: [PATCH v2 2/2] linux/bits.h: Add compile time sanity check of GENMASK inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2019-08-02 at 01:03 +0200, Rikard Falkeborn wrote:
> GENMASK() and GENMASK_ULL() are supposed to be called with the high bit
> as the first argument and the low bit as the second argument. Mixing
> them will return a mask with zero bits set.
>
> Recent commits show getting this wrong is not uncommon, see e.g.
> commit aa4c0c9091b0 ("net: stmmac: Fix misuses of GENMASK macro") and
> commit 9bdd7bb3a844 ("clocksource/drivers/npcm: Fix misuse of GENMASK
> macro").
>
> To prevent such mistakes from appearing again, add compile time sanity
> checking to the arguments of GENMASK() and GENMASK_ULL(). If both the
> arguments are known at compile time, and the low bit is higher than the
> high bit, break the build to detect the mistake immediately.
>
> Since GENMASK() is used in declarations, BUILD_BUG_ON_ZERO() must be
> used instead of BUILD_BUG_ON(), and __is_constexpr() must be used instead
> of __builtin_constant_p().
>
> If successful, BUILD_BUG_OR_ZERO() returns 0 of type size_t. To avoid
> problems with implicit conversions, cast the result of BUILD_BUG_OR_ZERO
> to unsigned long.
>
> Since both BUILD_BUG_ON_ZERO() and __is_constexpr() only uses sizeof()
> on the arguments passed to them, neither of them evaluate the expression
> unless it is a VLA. Therefore, GENMASK(1, x++) still behaves as
> expected.
>
> Commit 95b980d62d52 ("linux/bits.h: make BIT(), GENMASK(), and friends
> available in assembly") made the macros in linux/bits.h available in
> assembly. Since neither BUILD_BUG_OR_ZERO() or __is_constexpr() are asm
> compatible, disable the checks if the file is included in an asm file.
>
> Signed-off-by: Rikard Falkeborn <rikard.falkeborn@xxxxxxxxx>
> ---
> Changes in v2:
> - Add comment about why inputs are not checked when used in asm file
> - Use UL(0) instead of 0
> - Extract mask creation in a separate macro to improve readability
> - Use high and low instead of h and l (part of this was extracted to a
> separate patch)
> - Updated commit message
>
> Joe Perches sent a series to fix the existing misuses of GENMASK() that
> needs to be merged before this to avoid build failures. Currently, 6 of
> the patches are not in Linus tree, and 2 are not in linux-next.

Thanks Rikard.

It wouldn't surprise me if this change finds more misuses
as the compiler will perform substitutions on #define
values where the search I did was just for decimal uses.

For instance, this new macro should build error on:

#define FOO 5
#define BAR 6

GENMASK(FOO, BAR)

Next message: Michael Chan: "Re: [PATCH 2/2] cnic: Use refcount_t for refcount"
Previous message: Leonardo Bras: "[PATCH 1/1] pseries/hotplug-memory.c: Change rc variable to bool"
In reply to: Rikard Falkeborn: "[PATCH v2 2/2] linux/bits.h: Add compile time sanity check of GENMASK inputs"
Next in thread: Guenter Roeck: "Re: [PATCH v2 2/2] linux/bits.h: Add compile time sanity check of GENMASK inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]