Re: better patch for linux/bitops.h

From: H. Peter Anvin
Date: Thu May 05 2016 - 02:35:56 EST

On 05/04/16 21:03, Jeffrey Walton wrote:
On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'o <tytso@xxxxxxx> wrote:
But instead of arguing over what works and doesn't, let's just create
the the test set and just try it on a wide range of compilers and
architectures, hmmm?

What are the requirements? Here's a short list:

* No undefined behavior
- important because the compiler writers use the C standard
* Compiles to native "rotate IMMEDIATE" if the rotate amount is a
"constant expression" and the machine provides it
- translates to a native rotate instruction if available
- "rotate IMM" can be 3 times faster than "rotate REG"
- do any architectures *not* provide a rotate?
* Compiles to native "rotate REGISTER" if the rotate is variable and
the machine provides it
- do any architectures *not* provide a rotate?
* Constant time
- important to high-integrity code
- Non-security code paths probably don't care

Maybe the first thing to do is provide a different rotates for the
constant-time requirement when its in effect?

The disagreement here is the priority between these points. In my very strong opinion, "no undefined behavior" per the C standard is way less important than the others; what matters is what gcc and the other compilers we care about do. The kernel relies on various versions of C-standard-undefined behavior *all over the place*; for one thing sizeof(void *) == sizeof(size_t) == sizeof(unsigned long)!! but they are well-defined in the subcontext we care about.

(And no, not all architectures provide a rotate instruction.)