Re: [Intel-gfx] [PATCH v11.5] overflow: Introduce overflows_type() and __castable_to_type()
Hi Kees,
Thank you so much for taking the time to refine and update the code and
checking out where the side effects that I missed may occur.
On 9/26/22 3:37 AM, Kees Cook wrote:
Add overflows_type() to test if a variable or constant value would
overflow another variable or type. This can be used as a constant
expression for static_assert() (which requires a constant
expression[1][2]) when used on constant values. This must be constructed
manually, since __builtin_add_overflow() does not produce a constant
expression[3].
Additionally adds __castable_to_type(), similar to __same_type(), for
checking if a constant value will fit in a given type (i.e. it could
be cast to the type without overflow).
Add unit tests for overflows_type(), __same_type(), and
__castable_to_type() to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
type3 *res)
Cc: Luc Van Oostenryck
Cc: Nathan Chancellor
Cc: Nick Desaulniers
Cc: Tom Rix
Cc: Daniel Latypov
Cc: Vitor Massaru Iha
Cc: "Gustavo A. R. Silva"
Cc: linux-harden...@vger.kernel.org
Cc: l...@lists.linux.dev
Co-developed-by: Gwan-gyeong Mun
Signed-off-by: Gwan-gyeong Mun
Signed-off-by: Kees Cook
---
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 +
lib/overflow_kunit.c | 393 ++-
3 files changed, 441 insertions(+), 1 deletion(-)
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 7713d7bcdaea..c631107e93b1 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..c8cbeae5f4f8 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool
overflow)
(*_d >> _to_shift) != _a);\
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0\
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0 )
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0;\
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a conxtant expression, this will also resolve to a constant
conxtant -> constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n),\
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
Did you do it because __overflows_type_constexpr() always requires
__is_constexpr() to avoid side effects?
And is the purpose of this macro to return a const-expression when a
constant value is used as an argument and return a bool value when the
argument is not a constant value?
One more, to fix the build problem, the overflows_type() part added from
this link
(https://patchwork.freedesktop.org/patch/504377/?series=108945&rev=2)
should be removed from this patch.
And in other parts of this series, places that use macros added in a
previous patch should also be updated. I'll fix those codes and send it
as a new version.
Many thanks,
G.G.
+/**
+ * __castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: data type or variable
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true.
Re: [Intel-gfx] [PATCH v11.5] overflow: Introduce overflows_type() and __castable_to_type()
On 9/26/22 3:37 AM, Kees Cook wrote:
Add overflows_type() to test if a variable or constant value would
overflow another variable or type. This can be used as a constant
expression for static_assert() (which requires a constant
expression[1][2]) when used on constant values. This must be constructed
manually, since __builtin_add_overflow() does not produce a constant
expression[3].
Additionally adds __castable_to_type(), similar to __same_type(), for
checking if a constant value will fit in a given type (i.e. it could
be cast to the type without overflow).
Add unit tests for overflows_type(), __same_type(), and
__castable_to_type() to the existing KUnit "overflow" test.
[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
type3 *res)
Cc: Luc Van Oostenryck
Cc: Nathan Chancellor
Cc: Nick Desaulniers
Cc: Tom Rix
Cc: Daniel Latypov
Cc: Vitor Massaru Iha
Cc: "Gustavo A. R. Silva"
Cc: linux-harden...@vger.kernel.org
Cc: l...@lists.linux.dev
Co-developed-by: Gwan-gyeong Mun
Signed-off-by: Gwan-gyeong Mun
Signed-off-by: Kees Cook
---
include/linux/compiler.h | 1 +
include/linux/overflow.h | 48 +
lib/overflow_kunit.c | 393 ++-
3 files changed, 441 insertions(+), 1 deletion(-)
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 7713d7bcdaea..c631107e93b1 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
* bool and also pointer types.
*/
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
+#define is_unsigned_type(type) (!is_signed_type(type))
/*
* This is needed in functions which generate the stack canary, see
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 19dfdd74835e..c8cbeae5f4f8 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool
overflow)
(*_d >> _to_shift) != _a);\
}))
+#define __overflows_type_constexpr(x, T) ( \
+ is_unsigned_type(typeof(x)) ? \
+ (x) > type_max(typeof(T)) ? 1 : 0\
+ : is_unsigned_type(typeof(T)) ? \
+ (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
+ : (x) < type_min(typeof(T)) || \
+ (x) > type_max(typeof(T)) ? 1 : 0 )
+
+#define __overflows_type(x, T) ({ \
+ typeof(T) v = 0;\
+ check_add_overflow((x), v, &v); \
+})
+
+/**
+ * overflows_type - helper for checking the overflows between value, variables,
+ * or data type
+ *
+ * @n: source constant value or variable to be checked
+ * @T: destination variable or data type proposed to store @x
+ *
+ * Compares the @x expression for whether or not it can safely fit in
+ * the storage of the type in @T. @x and @T can have different types.
+ * If @x is a conxtant expression, this will also resolve to a constant
+ * expression.
+ *
+ * Returns: true if overflow can occur, false otherwise.
+ */
+#define overflows_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n),\
+ __overflows_type_constexpr(n, T), \
+ __overflows_type(n, T))
+
+/**
+ * __castable_to_type - like __same_type(), but also allows for casted literals
+ *
+ * @n: variable or constant value
+ * @T: data type or variable
+ *
+ * Unlike the __same_type() macro, this allows a constant value as the
+ * first argument. If this value would not overflow into an assignment
+ * of the second argument's type, it returns true. Otherwise, this falls
+ * back to __same_type().
+ */
+#define __castable_to_type(n, T) \
+ __builtin_choose_expr(__is_constexpr(n),\
+ !__overflows_type_constexpr(n, T),\
+ __same_type(n, T))
+
This name is fine, but I prefer the __same_typable you suggested as a
comment in the previous patch better, what do you think?
( __castable_to_type(n, T); The macro name seems to handle if type
casting is possible to the second argument type from the first argument
variable. )
G.G.
Re: [Intel-gfx] [PATCH v11.5] overflow: Introduce overflows_type() and __castable_to_type()
On Mon, Sep 26, 2022 at 06:57:53PM +0300, Gwan-gyeong Mun wrote:
>
>
> On 9/26/22 3:37 AM, Kees Cook wrote:
> > Add overflows_type() to test if a variable or constant value would
> > overflow another variable or type. This can be used as a constant
> > expression for static_assert() (which requires a constant
> > expression[1][2]) when used on constant values. This must be constructed
> > manually, since __builtin_add_overflow() does not produce a constant
> > expression[3].
> >
> > Additionally adds __castable_to_type(), similar to __same_type(), for
> > checking if a constant value will fit in a given type (i.e. it could
> > be cast to the type without overflow).
> >
> > Add unit tests for overflows_type(), __same_type(), and
> > __castable_to_type() to the existing KUnit "overflow" test.
> >
> > [1] https://en.cppreference.com/w/c/language/_Static_assert
> > [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> > [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> > 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> > Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
> > type3 *res)
> >
> > Cc: Luc Van Oostenryck
> > Cc: Nathan Chancellor
> > Cc: Nick Desaulniers
> > Cc: Tom Rix
> > Cc: Daniel Latypov
> > Cc: Vitor Massaru Iha
> > Cc: "Gustavo A. R. Silva"
> > Cc: linux-harden...@vger.kernel.org
> > Cc: l...@lists.linux.dev
> > Co-developed-by: Gwan-gyeong Mun
> > Signed-off-by: Gwan-gyeong Mun
> > Signed-off-by: Kees Cook
> > ---
> > include/linux/compiler.h | 1 +
> > include/linux/overflow.h | 48 +
> > lib/overflow_kunit.c | 393 ++-
> > 3 files changed, 441 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> > index 7713d7bcdaea..c631107e93b1 100644
> > --- a/include/linux/compiler.h
> > +++ b/include/linux/compiler.h
> > @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
> >* bool and also pointer types.
> >*/
> > #define is_signed_type(type) (((type)(-1)) < (__force type)1)
> > +#define is_unsigned_type(type) (!is_signed_type(type))
> > /*
> >* This is needed in functions which generate the stack canary, see
> > diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> > index 19dfdd74835e..c8cbeae5f4f8 100644
> > --- a/include/linux/overflow.h
> > +++ b/include/linux/overflow.h
> > @@ -127,6 +127,54 @@ static inline bool __must_check
> > __must_check_overflow(bool overflow)
> > (*_d >> _to_shift) != _a); \
> > }))
> > +#define __overflows_type_constexpr(x, T) ( \
> > + is_unsigned_type(typeof(x)) ? \
> > + (x) > type_max(typeof(T)) ? 1 : 0 \
> > + : is_unsigned_type(typeof(T)) ? \
> > + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0\
> > + : (x) < type_min(typeof(T)) || \
> > + (x) > type_max(typeof(T)) ? 1 : 0 )
> > +
> > +#define __overflows_type(x, T) ({ \
> > + typeof(T) v = 0;\
> > + check_add_overflow((x), v, &v); \
> > +})
> > +
> > +/**
> > + * overflows_type - helper for checking the overflows between value,
> > variables,
> > + * or data type
> > + *
> > + * @n: source constant value or variable to be checked
> > + * @T: destination variable or data type proposed to store @x
> > + *
> > + * Compares the @x expression for whether or not it can safely fit in
> > + * the storage of the type in @T. @x and @T can have different types.
> > + * If @x is a conxtant expression, this will also resolve to a constant
> > + * expression.
> > + *
> > + * Returns: true if overflow can occur, false otherwise.
> > + */
> > +#define overflows_type(n, T) \
> > + __builtin_choose_expr(__is_constexpr(n),\
> > + __overflows_type_constexpr(n, T), \
> > + __overflows_type(n, T))
> > +
> > +/**
> > + * __castable_to_type - like __same_type(), but also allows for casted
> > literals
> > + *
> > + * @n: variable or constant value
> > + * @T: data type or variable
> > + *
> > + * Unlike the __same_type() macro, this allows a constant value as the
> > + * first argument. If this value would not overflow into an assignment
> > + * of the second argument's type, it returns true. Otherwise, this falls
> > + * back to __same_type().
> > + */
> > +#define __castable_to_type(n, T) \
> > + __builtin_choose_expr(__is_constexpr(n),\
> > + !__overflows_type_constexpr(n, T),\
> > + __same_type(n, T))
> > +
> This name is fine, but I prefer the __same_typable you sugges
