Re: [PATCH v4 1/3] math.h: add DIV_ROUND_UP_NO_OVERFLOW

From: Linus Torvalds
Date: Wed Oct 25 2023 - 13:37:33 EST

Next message: Rafael J. Wysocki: "Re: PIC probing code from e179f6914152 failing"
Previous message: Catalin Marinas: "Re: [PATCH] arm64: pi: add early_map_kernel prototype"
In reply to: Rasmus Villemoes: "Re: [PATCH v4 1/3] math.h: add DIV_ROUND_UP_NO_OVERFLOW"
Next in thread: David Laight: "RE: [PATCH v4 1/3] math.h: add DIV_ROUND_UP_NO_OVERFLOW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 24 Oct 2023 at 22:03, Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx> wrote:
>
> Both the existing and new implementation are simply wrong for negative
> n, because / doesn't do floor(), it does round-towards-0 (I do believe
> that's a bug in the C standard, but not much one can do about that).

Honestly, while I found several cases where the arithmetic was done
with a signed type, all the ones I looked at were purely about the
_type_, not the values.

Any actual negative values would have been too random before to make a
difference. In that patch, I tried to keep the signed type around
mainly to at least get *similar* values to the old code, but honestly,
it was all broken before already if the values were actually signed.

If it were to change the result and somebody would find a bug due to
that, that would be a good thing, in other words. The negative value
would need to be fixed anyway - as you say, integer division of signed
values is simply not rgeat in the first place.

Side note: if you dislike the "round towards zero" behavior, I can
tell you that it is better than the historical alternative, which was
"implementation defined".

IIRC, the rule used to be that signed division could either round down
or towards zero, and the only rule was that (a) it had to be
documented (ie "implementation defined" rather than "undefined") and
(b) the modulus had to follow the same rules, ie regardless of
rounding, you'd have

(a/b)*b + a%b = a

That said:

> Preventing signed types from being used is probably too difficult.

It might not be. My horror with _Generic() is certainly not pretty,
but it *does* have the advantage that we could error out for signed
cases.

I did that initially, and it didn't look horrific, particularly if you
just accept signed positive constants as unsigned values (which
requires another bit of macro magic but is not conceptually hard).

The patch I sent out was not it, though - it was meant really as a
minimal "something like this" that still compiled my defconfig.

> Aside: I don't think uapi/ stuff can include non-uapi/ stuff.

Yeah, no, I left it in that uapi header just for the same reason I
didn't bother trying to fix any signed type cases - actively avoiding
changes *outside* the DIV_ROUND_UP() case itself.

In reality, I'd just make any users of __KERNEL_DIV_ROUND_UP include
<linux/div_round_up.h> and get rid of the crazy UAPI thing entirely.

So ignore that part.

> Aside2: do_div(n-1, d); probably doesn't compile :)

.. I did say it was untested and "might approach being correct".

That 32-bit ULL case should also have some attempt at checking that
the divisor really fits in 32 bits. Because I still refuse to believe
that the full 64-by-64 divisions are sane on a 32-bit machine, and
anybody who does that needs to go to extra lengths for them. No
"silently do them without telling the programmer they are doing
something horrendously bad".

Linus

Next message: Rafael J. Wysocki: "Re: PIC probing code from e179f6914152 failing"
Previous message: Catalin Marinas: "Re: [PATCH] arm64: pi: add early_map_kernel prototype"
In reply to: Rasmus Villemoes: "Re: [PATCH v4 1/3] math.h: add DIV_ROUND_UP_NO_OVERFLOW"
Next in thread: David Laight: "RE: [PATCH v4 1/3] math.h: add DIV_ROUND_UP_NO_OVERFLOW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]