| Message ID | 20150617190508.5205e8af@wiggum (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jun 17, 2015 at 1:05 PM, Michael Büsch <m@bues.ch> wrote: > The expression (~0 >> x) will always yield all-ones, because the right > shift is an arithmetic right shift that will always shift ones in. > Accordingly ~(~0 >> x) will always be zero. > Hence 'mask' will always be zero in this case. > > Fix this by forcing a logical right shift instead of an arithmetic > right shift by using an unsigned int constant. > > Signed-off-by: Michael Buesch <m@bues.ch> Confirmed that this does indeed happen with #include <stdio.h> int main(int argc, char *argv[]) { unsigned mask = ~(~0 >> (32 - (argv[1][0] - '0'))); printf("%08x\n", mask); } I guess fbdev/nvidia/nv_accel.c was the source of all this, as the code is identical, and it probably came first. FWIW this is Reviewed-by: Ilia Mirkin <imirkin@alum.mit.edu> > > --- > > This patch is untested, because I do not have the hardware. > > > Index: linux/drivers/gpu/drm/nouveau/nv50_fbcon.c > =================================================================== > --- linux.orig/drivers/gpu/drm/nouveau/nv50_fbcon.c > +++ linux/drivers/gpu/drm/nouveau/nv50_fbcon.c > @@ -96,7 +96,7 @@ nv50_fbcon_imageblit(struct fb_info *inf > struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); > struct nouveau_channel *chan = drm->channel; > uint32_t width, dwords, *data = (uint32_t *)image->data; > - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); > + uint32_t mask = ~(~0U >> (32 - info->var.bits_per_pixel)); > uint32_t *palette = info->pseudo_palette; > int ret; > > Index: linux/drivers/gpu/drm/nouveau/nvc0_fbcon.c > =================================================================== > --- linux.orig/drivers/gpu/drm/nouveau/nvc0_fbcon.c > +++ linux/drivers/gpu/drm/nouveau/nvc0_fbcon.c > @@ -96,7 +96,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf > struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); > struct nouveau_channel *chan = drm->channel; > uint32_t width, dwords, *data = (uint32_t *)image->data; > - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); > + uint32_t mask = ~(~0U >> (32 - info->var.bits_per_pixel)); > uint32_t *palette = info->pseudo_palette; > int ret; > > Index: linux/drivers/video/fbdev/nvidia/nv_accel.c > =================================================================== > --- linux.orig/drivers/video/fbdev/nvidia/nv_accel.c > +++ linux/drivers/video/fbdev/nvidia/nv_accel.c > @@ -351,7 +351,7 @@ static void nvidiafb_mono_color_expand(s > const struct fb_image *image) > { > struct nvidia_par *par = info->par; > - u32 fg, bg, mask = ~(~0 >> (32 - info->var.bits_per_pixel)); > + u32 fg, bg, mask = ~(~0U >> (32 - info->var.bits_per_pixel)); > u32 dsize, width, *data = (u32 *) image->data, tmp; > int j, k = 0; > > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/dri-devel > -- To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 17 Jun 2015 20:47:17 -0400 Ilia Mirkin <imirkin@alum.mit.edu> wrote: > On Wed, Jun 17, 2015 at 1:05 PM, Michael Büsch <m@bues.ch> wrote: > > The expression (~0 >> x) will always yield all-ones, because the right > > shift is an arithmetic right shift that will always shift ones in. > > Accordingly ~(~0 >> x) will always be zero. > > Hence 'mask' will always be zero in this case. > > > > Fix this by forcing a logical right shift instead of an arithmetic > > right shift by using an unsigned int constant. > > > > Signed-off-by: Michael Buesch <m@bues.ch> > > Confirmed that this does indeed happen with > > #include <stdio.h> > int main(int argc, char *argv[]) { > unsigned mask = ~(~0 >> (32 - (argv[1][0] - '0'))); > printf("%08x\n", mask); > } > > I guess fbdev/nvidia/nv_accel.c was the source of all this, as the > code is identical, and it probably came first. If anybody is able to help me in creating a working semantic patch (coccinelle) for this, that would be great. I found this using a very hacky and incorrect spatch (some version is attached). It throws many false positives, doesn't find all such bugs and does not create correct patch output (especially the #define related rule is just meant as a hint). Some basic thoughts that come to mind that could possibly be statically checked somehow are: - right shift of promoted variables. That is stuff like this: u8 x, y = 0x0F; x = ~y >> 1; /* x is 0xF8, not 0x78 as someone might expect. */ - Also check this for typedef'ed types where promotion takes place (that are smaller than int)? - right shift of signed constants (like in this case). That probably is wrong in most cases. How to check signedness of constants in spatch? (123 vs 123U) Is that even possible? - Also detect this stuff, if variables/constants are hidden via #define or such: #define REGVAL 0x0F writereg(REGISTER, ~REGVAL >> 1); Probably more stuff could be checked. Ideas are welcome. :)
Index: linux/drivers/gpu/drm/nouveau/nv50_fbcon.c =================================================================== --- linux.orig/drivers/gpu/drm/nouveau/nv50_fbcon.c +++ linux/drivers/gpu/drm/nouveau/nv50_fbcon.c @@ -96,7 +96,7 @@ nv50_fbcon_imageblit(struct fb_info *inf struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); struct nouveau_channel *chan = drm->channel; uint32_t width, dwords, *data = (uint32_t *)image->data; - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); + uint32_t mask = ~(~0U >> (32 - info->var.bits_per_pixel)); uint32_t *palette = info->pseudo_palette; int ret; Index: linux/drivers/gpu/drm/nouveau/nvc0_fbcon.c =================================================================== --- linux.orig/drivers/gpu/drm/nouveau/nvc0_fbcon.c +++ linux/drivers/gpu/drm/nouveau/nvc0_fbcon.c @@ -96,7 +96,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); struct nouveau_channel *chan = drm->channel; uint32_t width, dwords, *data = (uint32_t *)image->data; - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); + uint32_t mask = ~(~0U >> (32 - info->var.bits_per_pixel)); uint32_t *palette = info->pseudo_palette; int ret; Index: linux/drivers/video/fbdev/nvidia/nv_accel.c =================================================================== --- linux.orig/drivers/video/fbdev/nvidia/nv_accel.c +++ linux/drivers/video/fbdev/nvidia/nv_accel.c @@ -351,7 +351,7 @@ static void nvidiafb_mono_color_expand(s const struct fb_image *image) { struct nvidia_par *par = info->par; - u32 fg, bg, mask = ~(~0 >> (32 - info->var.bits_per_pixel)); + u32 fg, bg, mask = ~(~0U >> (32 - info->var.bits_per_pixel)); u32 dsize, width, *data = (u32 *) image->data, tmp; int j, k = 0;
The expression (~0 >> x) will always yield all-ones, because the right shift is an arithmetic right shift that will always shift ones in. Accordingly ~(~0 >> x) will always be zero. Hence 'mask' will always be zero in this case. Fix this by forcing a logical right shift instead of an arithmetic right shift by using an unsigned int constant. Signed-off-by: Michael Buesch <m@bues.ch> --- This patch is untested, because I do not have the hardware.