Re: C aggregate passing (Rust kernel policy)
From: David Laight
Date: Wed Feb 26 2025 - 17:54:28 EST
On Wed, 26 Feb 2025 13:21:41 -0800
Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 26 Feb 2025 at 13:14, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > That "single read done as multiple reads" is sadly still accepted by
> > the C standard, as far as I can tell. Because the standard still
> > considers it "unobservable" unless I've missed some update.
>
> I want to clarify that I'm talking about perfectly normal and entirely
> unannotated variable accesses.
>
> Don't say "programmers should annotate their special accesses with
> volatile if they want to avoid compiler-introduced TOCTOU issues".
>
> Having humans have to work around failures in the language is not the way to go.
>
> Particularly when there isn't even any advantage to it. I'm pretty
> sure neither clang nor gcc actually rematerialize reads from memory,
I thought some of the very early READ_ONCE() were added because there
was an actual problem with the generated code.
But it has got entirely silly.
In many cases gcc will generate an extra register-register transfer
for a volatile read - I've seen it do a byte read, register move and
then and with 0xff.
I think adding a separate memory barrier would stop the read being
rematerialized - but you also need to stop it doing (for example)
two byte accesses for a 16bit variable - arm32 has a limited offset
for 16bit memory accesses, so the compiler might be tempted to do
two byte writes.
David