Message ID | 3800eaa8-a4da-b2f0-da31-6627176cb92e@physik.fu-berlin.de (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Calculating array sizes in C - was: Re: Build regressions/improvements in v6.2-rc1 | expand |
Hi Adrian, On Tue, Jan 17, 2023 at 5:42 PM John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> wrote: > On 1/6/23 16:17, Geert Uytterhoeven wrote: > >> I'm not seeing this one, but I am getting this one instead: > >> > >> In file included from ./arch/sh/include/asm/hw_irq.h:6, > >> from ./include/linux/irq.h:596, > >> from ./include/asm-generic/hardirq.h:17, > >> from ./arch/sh/include/asm/hardirq.h:9, > >> from ./include/linux/hardirq.h:11, > >> from ./include/linux/interrupt.h:11, > >> from ./include/linux/serial_core.h:13, > >> from ./include/linux/serial_sci.h:6, > >> from arch/sh/kernel/cpu/sh2/setup-sh7619.c:11: > >> ./include/linux/sh_intc.h:100:63: error: division 'sizeof (void *) / sizeof (void)' does not compute the number of array elements [-Werror=sizeof-pointer-div] > >> 100 | #define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) > >> | ^ > >> ./include/linux/sh_intc.h:105:31: note: in expansion of macro '_INTC_ARRAY' > >> 105 | _INTC_ARRAY(vectors), _INTC_ARRAY(groups), \ > >> | ^~~~~~~~~~~ > > > > The easiest fix for the latter is to disable CONFIG_WERROR. > > Unfortunately I don't know a simple solution to get rid of the warning. > > I did some research and it seems that what the macro _INT_ARRAY() does with "sizeof(a)/sizeof(*a)" > is a commonly used way to calculate array sizes and the kernel has even its own macro for that > called ARRAY_SIZE() which Linus asks people to use here [1]. > > So, I replaced _INTC_ARRAY() with ARRAY_SIZE() (see below), however the kernel's own ARRAY_SIZE() > macro triggers the same compiler warning. I'm CC'ing Michael Karcher who has more knowledge on > writing proper C code than me and maybe an idea how to fix this warning. > > Thanks, > Adrian > > > [1] https://lkml.org/lkml/2015/9/3/428 > > diff --git a/include/linux/sh_intc.h b/include/linux/sh_intc.h > index c255273b0281..07a187686a84 100644 > --- a/include/linux/sh_intc.h > +++ b/include/linux/sh_intc.h > @@ -97,14 +97,12 @@ struct intc_hw_desc { > unsigned int nr_subgroups; > }; > > -#define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) > - > #define INTC_HW_DESC(vectors, groups, mask_regs, \ > prio_regs, sense_regs, ack_regs) \ > { \ > - _INTC_ARRAY(vectors), _INTC_ARRAY(groups), \ > - _INTC_ARRAY(mask_regs), _INTC_ARRAY(prio_regs), \ > - _INTC_ARRAY(sense_regs), _INTC_ARRAY(ack_regs), \ > + ARRAY_SIZE(vectors), ARRAY_SIZE(groups), \ > + ARRAY_SIZE(mask_regs), ARRAY_SIZE(prio_regs), \ > + ARRAY_SIZE(sense_regs), ARRAY_SIZE(ack_regs), \ > } The issue is that some of the parameters are not arrays, but NULL. E.g.: arch/sh/kernel/cpu/sh2/setup-sh7619.c:static DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, arch/sh/kernel/cpu/sh2/setup-sh7619.c- NULL, prio_registers, NULL); -- Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
Hi! On 1/17/23 18:01, Geert Uytterhoeven wrote: > The issue is that some of the parameters are not arrays, but > NULL. E.g.: > > arch/sh/kernel/cpu/sh2/setup-sh7619.c:static > DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, > arch/sh/kernel/cpu/sh2/setup-sh7619.c- NULL, > prio_registers, NULL); Isn't this supposed to be caught by this check: a, __same_type(a, NULL) ? Adrian
Hi Adrian, On Tue, Jan 17, 2023 at 6:06 PM John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> wrote: > On 1/17/23 18:01, Geert Uytterhoeven wrote: > > The issue is that some of the parameters are not arrays, but > > NULL. E.g.: > > > > arch/sh/kernel/cpu/sh2/setup-sh7619.c:static > > DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, > > arch/sh/kernel/cpu/sh2/setup-sh7619.c- NULL, > > prio_registers, NULL); > > Isn't this supposed to be caught by this check: > > a, __same_type(a, NULL) > > ? Yeah, but gcc thinks it is smarter than us... Probably it drops the test, assuming UB cannot happen. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
Hi! On 1/17/23 21:05, Geert Uytterhoeven wrote: >> Isn't this supposed to be caught by this check: >> >> a, __same_type(a, NULL) >> >> ? > > Yeah, but gcc thinks it is smarter than us... > Probably it drops the test, assuming UB cannot happen. Hmm, sounds like a GGC bug to me then. Not sure how to fix this then. Adrian
Isn't this supposed to be caught by this check: >>> >>> a, __same_type(a, NULL) >>> >>> ? >> >> Yeah, but gcc thinks it is smarter than us... >> Probably it drops the test, assuming UB cannot happen. > Hmm, sounds like a GGC bug to me then. Not sure how to fix this then. I don't see a clear bug at this point. We are talking about the C expression __same_type((void*)0, (void*)0)? 0 : sizeof((void*)0)/sizeof(*((void*0)) This expression is valid (assuming __same_type works, which is a GCC extension), and should return 0. As of now, I have no indication that this expression does not return 0. Also, it is true that this expression contains the suspicious pattern "sizeof(void*)/sizeof(void)", which is does not calculate the size of any array. GCC is free to emit as much warnings is it wants for any kind of expressions. From a C standard point of view, it's just a "quality of implementation" issue, and an implementation that emits useless warnings is of low quality, but not non-conforming. In this case, we requested that gcc refuses to compile if it emits any kind of warning, which instructs gcc to reject programs that would be valid according to the C standard, but are deemed to be "likely incorrect". I suggest to file a bug against gcc complaining about a "spurious warning", and using "-Werror -Wno-error-sizeof-pointer-div" until gcc is adapted to not emit the warning about the pointer division if the result is not used. Regards, Michael Karcher
On 1/19/23 16:11, Michael.Karcher wrote: > Isn't this supposed to be caught by this check: >>>> >>>> a, __same_type(a, NULL) >>>> >>>> ? >>> >>> Yeah, but gcc thinks it is smarter than us... >>> Probably it drops the test, assuming UB cannot happen. >> Hmm, sounds like a GGC bug to me then. Not sure how to fix this then. > > > I don't see a clear bug at this point. We are talking about the C expression > > __same_type((void*)0, (void*)0)? 0 : sizeof((void*)0)/sizeof(*((void*0)) *(void*) is type "void" which does not have a size. The problem is gcc "optimizing out" an earlier type check, the same way it "optimizes out" checks for signed integer math overflowing, or "optimizes out" a comparison to pointers from two different local variables from different function calls trying to calculate the amount of stack used, or "optimizes out" using char *x = (char *)1; as a flag value and then doing "if (!(x-1)) because it can "never happen"... > I suggest to file a bug against gcc complaining about a "spurious > warning", and using "-Werror -Wno-error-sizeof-pointer-div" until gcc is > adapted to not emit the warning about the pointer division if the result > is not used. Remember when gcc got rewritten in c++ starting in 2007? Historically the main marketing push of C++ was that it contains the whole of C and therefore MUST be just as good a language, the same way a mud pie contains an entire glass of water and therefore MUST be just as good a beverage. Anything C can do that C++ _can't_ do is seen as an existential threat by C++ developers. They've worked dilligently to "fix" C not being a giant pile of "undefined behavior" the way C++ is for 15 years now. I have... opinions on this. > Regards, > Michael Karcher Rob
Hi Michael! On 1/19/23 23:11, Michael.Karcher wrote: > I suggest to file a bug against gcc complaining about a "spurious warning", > and using "-Werror -Wno-error-sizeof-pointer-div" until gcc is adapted to > not emit the warning about the pointer division if the result is not used. Could you post a kernel patch for that? I would be happy to test it on my SH-7785CLR board. Also, I'm going to file a bug report against GCC. Adrian
On Thu, Jan 19, 2023 at 09:31:21PM -0600, Rob Landley wrote: > On 1/19/23 16:11, Michael.Karcher wrote: > > I don't see a clear bug at this point. We are talking about the C expression > > > > __same_type((void*)0, (void*)0)? 0 : sizeof((void*)0)/sizeof(*((void*0)) (__same_type is a kernel macro, it expands to something with __builtin_compatible_type()). > *(void*) is type "void" which does not have a size. It has size 1, in GCC, so that you can do arithmetic on pointers to void. This is a long-standing and very widely used GCC extension. """ 6.24 Arithmetic on 'void'- and Function-Pointers ================================================ In GNU C, addition and subtraction operations are supported on pointers to 'void' and on pointers to functions. This is done by treating the size of a 'void' or of a function as 1. A consequence of this is that 'sizeof' is also allowed on 'void' and on function types, and returns 1. The option '-Wpointer-arith' requests a warning if these extensions are used. """ > The problem is gcc "optimizing out" an earlier type check, the same way it > "optimizes out" checks for signed integer math overflowing, or "optimizes out" a > comparison to pointers from two different local variables from different > function calls trying to calculate the amount of stack used, or "optimizes out" Are you saying something in the kernel code here is invalid code? Because your other examples are. > using char *x = (char *)1; as a flag value and then doing "if (!(x-1)) because > it can "never happen"... Like here. And no, this is not allowed by -fno-strict-aliasing. > > I suggest to file a bug against gcc complaining about a "spurious > > warning", and using "-Werror -Wno-error-sizeof-pointer-div" until gcc is > > adapted to not emit the warning about the pointer division if the result > > is not used. Yeah. If the first operand of a conditional operator is non-zero, the second operand is not evaluated, and if the first is zero, the third operand is not evaluated. It is better if we do not warn about something we do not evaluate. In cases like here where it is clear at compile time which branch is taken, that shouldn't be too hard. Can someone please file a GCC PR? With reduced testcase preferably. Segher
From: Segher Boessenkool > Sent: 20 January 2023 10:54 ... > > > I suggest to file a bug against gcc complaining about a "spurious > > > warning", and using "-Werror -Wno-error-sizeof-pointer-div" until gcc is > > > adapted to not emit the warning about the pointer division if the result > > > is not used. > > Yeah. If the first operand of a conditional operator is non-zero, the > second operand is not evaluated, and if the first is zero, the third > operand is not evaluated. It is better if we do not warn about > something we do not evaluate. In cases like here where it is clear at > compile time which branch is taken, that shouldn't be too hard. > > Can someone please file a GCC PR? With reduced testcase preferably. It's not a bug. All the operands of the conditional operator have to be valid. It might be that the optimiser can discard one, but that happens much later on. Even the operands of choose_expr() have to be valid - but can have different types. I'm not sure what the code is trying to do or why it is failing. Was it a fail in userspace - where the option to allow sizeof (void) isn't allowed. FWIW you can check for a compile-time NULL (or 0) with: #define is_null(x) (sizeof *(0 : (void *)(x) ? (int *)0) != 1) Although that is a compile-time error for non-NULL unless 'void *' arithmetic is allowed. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Hello!
> Can someone please file a GCC PR? With reduced testcase preferably.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483
There you are.
Kind regars,
Michael Karcher
Hello Adrian, > Could you post a kernel patch for that? I would be happy to test it on my > SH-7785CLR board. Also, I'm going to file a bug report against GCC. I filed the bug already. It's https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483. The diff is attached. It's published as CC0 in case anyone considers this trivial change copyrightable. This patch prevents this one specific warning from being upgraded to "error" even if you configure the kernel to use "-Werror". It still keeps it active as warning, though. Kind regards, Michael Karcher diff --git a/Makefile b/Makefile index e09fe100efb2..b4cd075c6a19 100644 --- a/Makefile +++ b/Makefile @@ -870,7 +870,7 @@ stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong KBUILD_CFLAGS += $(stackp-flags-y) -KBUILD_CPPFLAGS-$(CONFIG_WERROR) += -Werror +KBUILD_CPPFLAGS-$(CONFIG_WERROR) += -Werror -Wno-error=sizeof-pointer-div KBUILD_CPPFLAGS += $(KBUILD_CPPFLAGS-y) KBUILD_CFLAGS-$(CONFIG_CC_NO_ARRAY_BOUNDS) += -Wno-array-bounds
Hi! On 1/20/23 20:29, Michael Karcher wrote: > Hello Adrian, >> Could you post a kernel patch for that? I would be happy to test it on my >> SH-7785CLR board. Also, I'm going to file a bug report against GCC. > > I filed the bug already. It's https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483. > > The diff is attached. It's published as CC0 in case anyone considers this trivial change copyrightable. This patch prevents this one specific warning from being upgraded to "error" even if you configure the kernel to use "-Werror". It still keeps it active as warning, though. I used the following variant and it fixes the issue for me: diff --git a/arch/sh/Makefile b/arch/sh/Makefile index 5c8776482530..11b22f7167d2 100644 --- a/arch/sh/Makefile +++ b/arch/sh/Makefile @@ -167,7 +167,7 @@ drivers-y += arch/sh/drivers/ cflags-y += $(foreach d, $(cpuincdir-y), -I $(srctree)/arch/sh/include/$(d)) \ $(foreach d, $(machdir-y), -I $(srctree)/arch/sh/include/$(d)) -KBUILD_CFLAGS += -pipe $(cflags-y) +KBUILD_CFLAGS += -pipe -Wno-error=sizeof-pointer-div $(cflags-y) KBUILD_CPPFLAGS += $(cflags-y) KBUILD_AFLAGS += $(cflags-y) If you agree, can you post a patch to LKML so we can unbreak the SH build for CONFIG_WERROR? Thanks, Adrian
diff --git a/include/linux/sh_intc.h b/include/linux/sh_intc.h index c255273b0281..07a187686a84 100644 --- a/include/linux/sh_intc.h +++ b/include/linux/sh_intc.h @@ -97,14 +97,12 @@ struct intc_hw_desc { unsigned int nr_subgroups; }; -#define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) - #define INTC_HW_DESC(vectors, groups, mask_regs, \ prio_regs, sense_regs, ack_regs) \ { \ - _INTC_ARRAY(vectors), _INTC_ARRAY(groups), \ - _INTC_ARRAY(mask_regs), _INTC_ARRAY(prio_regs), \ - _INTC_ARRAY(sense_regs), _INTC_ARRAY(ack_regs), \ + ARRAY_SIZE(vectors), ARRAY_SIZE(groups), \ + ARRAY_SIZE(mask_regs), ARRAY_SIZE(prio_regs), \ + ARRAY_SIZE(sense_regs), ARRAY_SIZE(ack_regs), \ } struct intc_desc {