security: Use || instead of | for boolean expressions
diff mbox

Message ID 1464760982-3721-1-git-send-email-rui.teng@linux.vnet.ibm.com
State New
Headers show

Commit Message

Rui Teng June 1, 2016, 6:03 a.m. UTC
Sparse spits out the following warning:
	security/commoncap.c:989:41: warning: dubious: !x | y

Bitwise and logical are equivalent here, but logical was intended.
Replacing the bit-wise '|' with the boolean '||' silences the sparse warning.
The generated code for both cases is the same.

Signed-off-by: Rui Teng <rui.teng@linux.vnet.ibm.com>
---
 security/commoncap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Serge E. Hallyn June 2, 2016, 2:13 p.m. UTC | #1
On Wed, Jun 01, 2016 at 02:03:02PM +0800, Rui Teng wrote:
> Sparse spits out the following warning:
> 	security/commoncap.c:989:41: warning: dubious: !x | y
> 
> Bitwise and logical are equivalent here, but logical was intended.
> Replacing the bit-wise '|' with the boolean '||' silences the sparse warning.

Hi,

this looks ok, but I'm worried by

> The generated code for both cases is the same.

That cannot be.  The logical result should be the same, but the
generated code cannot be.

I'm cc:ing Andy as this code came in with his patch.  Is there an
actual reason for having used bitwise here?

thanks,
-serge

> Signed-off-by: Rui Teng <rui.teng@linux.vnet.ibm.com>
> ---
>  security/commoncap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index e7fadde..8f6fb24 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -976,7 +976,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>  
>  	case PR_CAP_AMBIENT:
>  		if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
> -			if (arg3 | arg4 | arg5)
> +			if (arg3 || arg4 || arg5)
>  				return -EINVAL;
>  
>  			new = prepare_creds();
> @@ -986,7 +986,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>  			return commit_creds(new);
>  		}
>  
> -		if (((!cap_valid(arg3)) | arg4 | arg5))
> +		if (((!cap_valid(arg3)) || arg4 || arg5))
>  			return -EINVAL;
>  
>  		if (arg2 == PR_CAP_AMBIENT_IS_SET) {
> -- 
> 2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Rui Teng June 2, 2016, 4:53 p.m. UTC | #2
On 6/2/16 10:13 PM, Serge E. Hallyn wrote:
> On Wed, Jun 01, 2016 at 02:03:02PM +0800, Rui Teng wrote:
>> Sparse spits out the following warning:
>> 	security/commoncap.c:989:41: warning: dubious: !x | y
>>
>> Bitwise and logical are equivalent here, but logical was intended.
>> Replacing the bit-wise '|' with the boolean '||' silences the sparse warning.
>
> Hi,
>
> this looks ok, but I'm worried by
>
>> The generated code for both cases is the same.
>
> That cannot be.  The logical result should be the same, but the
> generated code cannot be.

Thanks for cc:ing the author.

I tried to write a sample code to verify it before. Both || and | will
generate the same assembly code.

For example, compiling following code with "gcc -O2 -S main.c", and
replacing || with | can generate the same assembly code.

- main.c ------------

int parse(int a, int b, int c)
{
         if (a || b || c)
                 return 1;
         else
                 return 0;
}

Of cause, it is only a sample on x86, but even if the generated code is
not the same, the logical will be better than bitwise.
Because (a || b || c) means (a != 0 || b != 0 || c != 0), once a != 0,
the whole expression will be true(short-circuit evaluation).
and (a | b | c) means calculate the bitwise first and check the result
in the end. And since the args are all integer, there is no need to
avoid any short-circuit.


>
> I'm cc:ing Andy as this code came in with his patch.  Is there an
> actual reason for having used bitwise here?
>
> thanks,
> -serge
>
>> Signed-off-by: Rui Teng <rui.teng@linux.vnet.ibm.com>
>> ---
>>  security/commoncap.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/commoncap.c b/security/commoncap.c
>> index e7fadde..8f6fb24 100644
>> --- a/security/commoncap.c
>> +++ b/security/commoncap.c
>> @@ -976,7 +976,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>>
>>  	case PR_CAP_AMBIENT:
>>  		if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
>> -			if (arg3 | arg4 | arg5)
>> +			if (arg3 || arg4 || arg5)
>>  				return -EINVAL;
>>
>>  			new = prepare_creds();
>> @@ -986,7 +986,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>>  			return commit_creds(new);
>>  		}
>>
>> -		if (((!cap_valid(arg3)) | arg4 | arg5))
>> +		if (((!cap_valid(arg3)) || arg4 || arg5))
>>  			return -EINVAL;
>>
>>  		if (arg2 == PR_CAP_AMBIENT_IS_SET) {
>> --
>> 2.7.4
>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Al Viro June 2, 2016, 5:37 p.m. UTC | #3
On Fri, Jun 03, 2016 at 12:53:07AM +0800, Rui Teng wrote:

> Of cause, it is only a sample on x86, but even if the generated code is
> not the same, the logical will be better than bitwise.
> Because (a || b || c) means (a != 0 || b != 0 || c != 0), once a != 0,
> the whole expression will be true(short-circuit evaluation).
> and (a | b | c) means calculate the bitwise first and check the result
> in the end. And since the args are all integer, there is no need to
> avoid any short-circuit.

Not obvious at all.  Comparison of the cost of two OR plus one conditional
branch vs. that of "short-circuited" variant is almost certainly going to be
in favour of compiler using bitwise operations anyway.  At the very least
you'll need to examine the first value, so even in the fastest case it's
test + branch taken.  The rest is going to be worse and the whole thing is
going to be not fun for the pipeline either, not to mention higher icache
footprint, etc.

So I would be quite surprised if cc(1) would use short-circuit there,
whichever form you use in the source.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/security/commoncap.c b/security/commoncap.c
index e7fadde..8f6fb24 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -976,7 +976,7 @@  int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 
 	case PR_CAP_AMBIENT:
 		if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
-			if (arg3 | arg4 | arg5)
+			if (arg3 || arg4 || arg5)
 				return -EINVAL;
 
 			new = prepare_creds();
@@ -986,7 +986,7 @@  int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 			return commit_creds(new);
 		}
 
-		if (((!cap_valid(arg3)) | arg4 | arg5))
+		if (((!cap_valid(arg3)) || arg4 || arg5))
 			return -EINVAL;
 
 		if (arg2 == PR_CAP_AMBIENT_IS_SET) {