RE: [PATCH v3 5/5] minmax: Relax check to allow comparison between int and small unsigned constants.

From: David Laight
Date: Mon Aug 07 2023 - 06:50:28 EST

Next message: Mike Rapoport: "Re: [PATCH] Documentation/page_tables: Add info about MMU/TLB and Page Faults"
Previous message: Shradha Gupta: "[PATCH net-next] net: mana: Add gdma stats to ethtool output for mana"
In reply to: Linus Torvalds: "Re: [PATCH v3 5/5] minmax: Relax check to allow comparison between int and small unsigned constants."
Next in thread: Linus Torvalds: "Re: [PATCH v3 5/5] minmax: Relax check to allow comparison between int and small unsigned constants."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Linus Torvalds
> Sent: 04 August 2023 19:14
>
> On Fri, 4 Aug 2023 at 03:56, David Laight <David.Laight@xxxxxxxxxx> wrote:
> >
> > Convert constants between 0 and INT_MAX to 'int' prior to comparisons
> > so that min(signed_var, 20u) and, more commonly, min(signed_var, sizeof())
> > are both valid.
>
> I really think this whole series is broken.
>
> What does the "are both valid" even *MEAN*?

To my mind the value of min(variable, TWENTY) shouldn't depend
on how TWENTY is defined regardless of the type of the variable.
So 20, 20u, 20l, 20ul, (char)20, sizeof (foo), offsetof(x, y)
should all be equally valid and all generate the same result.

Note that the patches still reject min(unsigned_var, -1),
min(signed_var, 0x80000000u) and min(signed_var, unsigned_var)
(unless the unsigned_var is char/short).

It isn't as though all the constants really have the 'correct'
type. I found one clamp(val, MIN_FOO, MAX_FOO) where MIN_FOO
was 20 and MAX_FOO an expression including sizeof().

One of the problems I'm trying to solve is that pretty much
no one seems to have gone back through the definitions to
fix a type error reported by min(), what always happens is
they decide the answer is min_t().

Unfortunately it is all too easy to pick the wrong type.
With a = min(b, limit) often typeof(a) is picked or, even
worse, typeof(b) without any regard for whether that can
truncate 'limit'.
In essence the casting done in min_t() is really worse than
having a min() that doesn't to the type check at all.
Both are likely to convert negative values to large positive
ones, but min_t() can also mask off high bits.

I've found all sorts of dubious min_t() while writing these patches.
One in a filesystem was min_t(ulong, ulong_var, u64_var) and I
couldn't convince myself it was right on 32bit.

Checking that both values have the same signedness (patch 3)
removes a lot of the requirements for min_t().
In particular it allows min(uint_var, sizeof ()).

Re-checking with unsigned char/short promoted to int (as happens
pretty much as soon as you breath on the value).
This means that checks of char structure members are likely
to be accepted without likely incorrect '& 0xff) being
applied to the other value by a min_t(u8, a, b).

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Mike Rapoport: "Re: [PATCH] Documentation/page_tables: Add info about MMU/TLB and Page Faults"
Previous message: Shradha Gupta: "[PATCH net-next] net: mana: Add gdma stats to ethtool output for mana"
In reply to: Linus Torvalds: "Re: [PATCH v3 5/5] minmax: Relax check to allow comparison between int and small unsigned constants."
Next in thread: Linus Torvalds: "Re: [PATCH v3 5/5] minmax: Relax check to allow comparison between int and small unsigned constants."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]