* [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions
2022-05-19 17:21 [PATCH v1 0/2] nolibc updates for Linux 5.20 Ammar Faizi
@ 2022-05-19 17:21 ` Ammar Faizi
2022-05-20 4:19 ` Willy Tarreau
2022-05-20 11:29 ` Alviro Iskandar Setiawan
2022-05-19 17:21 ` [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings Ammar Faizi
2022-05-20 4:23 ` [PATCH v1 0/2] nolibc updates for Linux 5.20 Willy Tarreau
2 siblings, 2 replies; 8+ messages in thread
From: Ammar Faizi @ 2022-05-19 17:21 UTC (permalink / raw)
To: Paul E. McKenney, Willy Tarreau
Cc: Ammar Faizi, Alviro Iskandar Setiawan, Linux Kernel Mailing List,
GNU/Weeb Mailing List, Facebook Kernel Team
Previously, we used __builtin_mul_overflow() to check for overflow in
the multiplication operation in the calloc() function. However, older
compiler versions don't support this built-in. This patch changes the
overflow checking mechanism to make it work on any compiler version
by using a division method to check for overflow. No functional change
intended. While in there, remove the unused variable `void *orig`.
Link: https://lore.kernel.org/lkml/[email protected]
Suggested-by: Willy Tarreau <[email protected]>
Cc: Alviro Iskandar Setiawan <[email protected]>
Signed-off-by: Ammar Faizi <[email protected]>
---
tools/include/nolibc/stdlib.h | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
index 8fd32eaf8037..92378c4b9660 100644
--- a/tools/include/nolibc/stdlib.h
+++ b/tools/include/nolibc/stdlib.h
@@ -128,10 +128,9 @@ void *malloc(size_t len)
static __attribute__((unused))
void *calloc(size_t size, size_t nmemb)
{
- void *orig;
- size_t res = 0;
+ size_t x = size * nmemb;
- if (__builtin_expect(__builtin_mul_overflow(nmemb, size, &res), 0)) {
+ if (__builtin_expect(size && ((x / size) != nmemb), 0)) {
SET_ERRNO(ENOMEM);
return NULL;
}
@@ -140,7 +139,7 @@ void *calloc(size_t size, size_t nmemb)
* No need to zero the heap, the MAP_ANONYMOUS in malloc()
* already does it.
*/
- return malloc(res);
+ return malloc(x);
}
static __attribute__((unused))
--
Ammar Faizi
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions
2022-05-19 17:21 ` [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions Ammar Faizi
@ 2022-05-20 4:19 ` Willy Tarreau
2022-05-20 11:29 ` Alviro Iskandar Setiawan
1 sibling, 0 replies; 8+ messages in thread
From: Willy Tarreau @ 2022-05-20 4:19 UTC (permalink / raw)
To: Ammar Faizi
Cc: Paul E. McKenney, Alviro Iskandar Setiawan,
Linux Kernel Mailing List, GNU/Weeb Mailing List,
Facebook Kernel Team
Hi Ammar,
On Fri, May 20, 2022 at 12:21:15AM +0700, Ammar Faizi wrote:
> diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
> index 8fd32eaf8037..92378c4b9660 100644
> --- a/tools/include/nolibc/stdlib.h
> +++ b/tools/include/nolibc/stdlib.h
> @@ -128,10 +128,9 @@ void *malloc(size_t len)
> static __attribute__((unused))
> void *calloc(size_t size, size_t nmemb)
> {
> - void *orig;
> - size_t res = 0;
> + size_t x = size * nmemb;
>
> - if (__builtin_expect(__builtin_mul_overflow(nmemb, size, &res), 0)) {
> + if (__builtin_expect(size && ((x / size) != nmemb), 0)) {
Ah, that approach is even better than mine, I'm seeing that on x86 the
compiler simply checks the overflow flag after the multiply, that's
perfect!
Acked-by: Willy Tarreau <[email protected]>
Willy
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions
2022-05-19 17:21 ` [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions Ammar Faizi
2022-05-20 4:19 ` Willy Tarreau
@ 2022-05-20 11:29 ` Alviro Iskandar Setiawan
2022-05-20 17:32 ` Paul E. McKenney
1 sibling, 1 reply; 8+ messages in thread
From: Alviro Iskandar Setiawan @ 2022-05-20 11:29 UTC (permalink / raw)
To: Ammar Faizi
Cc: Paul E. McKenney, Willy Tarreau, Linux Kernel Mailing List,
GNU/Weeb Mailing List, Facebook Kernel Team
On Fri, May 20, 2022 at 12:21 AM Ammar Faizi <[email protected]> wrote:
> Previously, we used __builtin_mul_overflow() to check for overflow in
> the multiplication operation in the calloc() function. However, older
> compiler versions don't support this built-in. This patch changes the
> overflow checking mechanism to make it work on any compiler version
> by using a division method to check for overflow. No functional change
> intended. While in there, remove the unused variable `void *orig`.
>
> Link: https://lore.kernel.org/lkml/[email protected]
> Suggested-by: Willy Tarreau <[email protected]>
> Cc: Alviro Iskandar Setiawan <[email protected]>
> Signed-off-by: Ammar Faizi <[email protected]>
Reviewed-by: Alviro Iskandar Setiawan <[email protected]>
tq
-- Viro
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions
2022-05-20 11:29 ` Alviro Iskandar Setiawan
@ 2022-05-20 17:32 ` Paul E. McKenney
0 siblings, 0 replies; 8+ messages in thread
From: Paul E. McKenney @ 2022-05-20 17:32 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: Ammar Faizi, Willy Tarreau, Linux Kernel Mailing List,
GNU/Weeb Mailing List, Facebook Kernel Team
On Fri, May 20, 2022 at 06:29:56PM +0700, Alviro Iskandar Setiawan wrote:
> On Fri, May 20, 2022 at 12:21 AM Ammar Faizi <[email protected]> wrote:
> > Previously, we used __builtin_mul_overflow() to check for overflow in
> > the multiplication operation in the calloc() function. However, older
> > compiler versions don't support this built-in. This patch changes the
> > overflow checking mechanism to make it work on any compiler version
> > by using a division method to check for overflow. No functional change
> > intended. While in there, remove the unused variable `void *orig`.
> >
> > Link: https://lore.kernel.org/lkml/[email protected]
> > Suggested-by: Willy Tarreau <[email protected]>
> > Cc: Alviro Iskandar Setiawan <[email protected]>
> > Signed-off-by: Ammar Faizi <[email protected]>
>
> Reviewed-by: Alviro Iskandar Setiawan <[email protected]>
>
> tq
>
> -- Viro
I have queued both patches with yours and Willy Tarreau's reviews
and acks. Thank you all!
Thanx, Paul
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings
2022-05-19 17:21 [PATCH v1 0/2] nolibc updates for Linux 5.20 Ammar Faizi
2022-05-19 17:21 ` [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions Ammar Faizi
@ 2022-05-19 17:21 ` Ammar Faizi
2022-05-20 4:21 ` Willy Tarreau
2022-05-20 4:23 ` [PATCH v1 0/2] nolibc updates for Linux 5.20 Willy Tarreau
2 siblings, 1 reply; 8+ messages in thread
From: Ammar Faizi @ 2022-05-19 17:21 UTC (permalink / raw)
To: Paul E. McKenney, Willy Tarreau
Cc: Alviro Iskandar Setiawan, Ammar Faizi, Linux Kernel Mailing List,
GNU/Weeb Mailing List, Facebook Kernel Team
From: Alviro Iskandar Setiawan <[email protected]>
When we use printf and fprintf functions from the nolibc, we don't
get any warning from the compiler if we have the wrong arguments.
For example, the following calls will compile silently:
```
printf("%s %s\n", "aaa");
fprintf(stdout, "%s %s\n", "xxx", 1);
```
(Note the wrong arguments).
Those calls are undefined behavior. The compiler can help us warn
about the above mistakes by adding a `printf` format attribute to
those functions declaration. This patch adds it, and now it yields
these warnings for those mistakes:
```
warning: format `%s` expects a matching `char *` argument [-Wformat=]
warning: format `%s` expects argument of type `char *`, but argument 4 has type `int` [-Wformat=]
```
[ ammarfaizi2: Simplify the attribute placement. ]
Signed-off-by: Alviro Iskandar Setiawan <[email protected]>
Signed-off-by: Ammar Faizi <[email protected]>
---
tools/include/nolibc/stdio.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index 15dedf8d0902..a3cebc4bc3ac 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -273,7 +273,7 @@ int vfprintf(FILE *stream, const char *fmt, va_list args)
return written;
}
-static __attribute__((unused))
+static __attribute__((unused, format(printf, 2, 3)))
int fprintf(FILE *stream, const char *fmt, ...)
{
va_list args;
@@ -285,7 +285,7 @@ int fprintf(FILE *stream, const char *fmt, ...)
return ret;
}
-static __attribute__((unused))
+static __attribute__((unused, format(printf, 1, 2)))
int printf(const char *fmt, ...)
{
va_list args;
--
Ammar Faizi
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings
2022-05-19 17:21 ` [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings Ammar Faizi
@ 2022-05-20 4:21 ` Willy Tarreau
0 siblings, 0 replies; 8+ messages in thread
From: Willy Tarreau @ 2022-05-20 4:21 UTC (permalink / raw)
To: Ammar Faizi
Cc: Paul E. McKenney, Alviro Iskandar Setiawan,
Linux Kernel Mailing List, GNU/Weeb Mailing List,
Facebook Kernel Team
On Fri, May 20, 2022 at 12:21:16AM +0700, Ammar Faizi wrote:
> From: Alviro Iskandar Setiawan <[email protected]>
>
> When we use printf and fprintf functions from the nolibc, we don't
> get any warning from the compiler if we have the wrong arguments.
> For example, the following calls will compile silently:
> ```
> printf("%s %s\n", "aaa");
> fprintf(stdout, "%s %s\n", "xxx", 1);
> ```
> (Note the wrong arguments).
>
> Those calls are undefined behavior. The compiler can help us warn
> about the above mistakes by adding a `printf` format attribute to
> those functions declaration.
I'm shocked I forgot it, I use it all the time, I'm even seeing this
as a bug fix for the series I sent. Thanks for fixing this mistake of
mine!
Acked-by: Willy Tarreau <[email protected]>
Willy
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 0/2] nolibc updates for Linux 5.20
2022-05-19 17:21 [PATCH v1 0/2] nolibc updates for Linux 5.20 Ammar Faizi
2022-05-19 17:21 ` [PATCH v1 1/2] tools/nolibc/stdlib: Support overflow checking for older compiler versions Ammar Faizi
2022-05-19 17:21 ` [PATCH v1 2/2] tools/nolibc/stdio: Add format attribute to enable printf warnings Ammar Faizi
@ 2022-05-20 4:23 ` Willy Tarreau
2 siblings, 0 replies; 8+ messages in thread
From: Willy Tarreau @ 2022-05-20 4:23 UTC (permalink / raw)
To: Paul E. McKenney
Cc: Ammar Faizi, Alviro Iskandar Setiawan, Linux Kernel Mailing List,
GNU/Weeb Mailing List, Facebook Kernel Team
On Fri, May 20, 2022 at 12:21:14AM +0700, Ammar Faizi wrote:
> Not much to do this time. Only small nolibc updates here. There are two
> patches in this series.
>
> 1. Address Willy's comment about overflow checking in the multiplication
> operation [1]. This patch supports overflow checking for older
> compiler versions. Currently, we use `__builtin_mul_overflow()` that
> doesn't exist in older compiler versions. Instead of using this
> built-in, use a simple division to check for overflow in the `calloc()`
> function.
>
> 2. The compiler can warn us about wrong `printf` arguments. This patch
> enables the warnings. Currently, only two functions use this attribute:
> `printf` and `fprintf`.
Paul, in summary I'm perfectly fine with the whole series, you can take it.
Thanks!
Willy
^ permalink raw reply [flat|nested] 8+ messages in thread