Re: [PATCH -rcu] asm-generic, kcsan: Add KCSAN instrumentation for bitops

From: Arnd Bergmann
Date: Fri Jan 17 2020 - 07:25:30 EST

Next message: David Gibson: "Re: [RFC PATCH 1/3] dtc: Add dtb build information option"
Previous message: kbuild test robot: "[tip:x86/cpu] BUILD SUCCESS bb02e2cb715a3f3552dbe765ea4a07799e4dff43"
Next in thread: Marco Elver: "Re: [PATCH -rcu] asm-generic, kcsan: Add KCSAN instrumentation for bitops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 15, 2020 at 9:50 PM Marco Elver <elver@xxxxxxxxxx> wrote:
> On Wed, 15 Jan 2020 at 20:55, Arnd Bergmann <arnd@xxxxxxxx> wrote:
> > On Wed, Jan 15, 2020 at 8:51 PM Marco Elver <elver@xxxxxxxxxx> wrote:
> > > On Wed, 15 Jan 2020 at 20:27, Arnd Bergmann <arnd@xxxxxxxx> wrote:
> > Are there any that really just want kasan_check_write() but not one
> > of the kcsan checks?
>
> If I understood correctly, this suggestion would amount to introducing
> a new header, e.g. 'ksan-checks.h', that provides unified generic
> checks. For completeness, we will also need to consider reads. Since
> KCSAN provides 4 check variants ({read,write} x {plain,atomic}), we
> will need 4 generic check variants.

Yes, that was the idea.

> I certainly do not feel comfortable blindly introducing kcsan_checks
> in all places where we have kasan_checks, but it may be worthwhile
> adding this infrastructure and starting with atomic-instrumented and
> bitops-instrumented wrappers. The other locations you list above would
> need to be evaluated on a case-by-case basis to check if we want to
> report data races for those accesses.

I think the main question to answer is whether it is more likely to go
wrong because we are missing checks when one caller accidentally
only has one but not the other, or whether they go wrong because
we accidentally check both when we should only be checking one.

My guess would be that the first one is more likely to happen, but
the second one is more likely to cause problems when it happens.

> As a minor data point, {READ,WRITE}_ONCE in compiler.h currently only
> has kcsan_checks and not kasan_checks.

Right. This is because we want an explicit "atomic" check for kcsan
but we want to have the function inlined for kasan, right?

> My personal preference would be to keep the various checks explicit,
> clearly opting into either KCSAN and/or KASAN. Since I do not think
> it's obvious if we want both for the existing and potentially new
> locations (in future), the potential for error by blindly using a
> generic 'ksan_check' appears worse than potentially adding a dozen
> lines or so.
>
> Let me know if you'd like to proceed with 'ksan-checks.h'.

Could you have a look at the files I listed and see if there are any
other examples that probably a different set of checks between the
two, besides the READ_ONCE() example?

If you can't find any, I would prefer having the simpler interface
with just one set of annotations.

Arnd

Next message: David Gibson: "Re: [RFC PATCH 1/3] dtc: Add dtb build information option"
Previous message: kbuild test robot: "[tip:x86/cpu] BUILD SUCCESS bb02e2cb715a3f3552dbe765ea4a07799e4dff43"
Next in thread: Marco Elver: "Re: [PATCH -rcu] asm-generic, kcsan: Add KCSAN instrumentation for bitops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]