[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: > On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: >> > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >> >> In the unsigned number space, the checks can be merged into one, >> >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >> >> could have: >> >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> >> >> This would also implement the check that the writer of this code was >> >> trying to make. >> >> The important thing to note is however is that the check as it is now >> >> is not correct. >> > >> > I agree. But it seems to indicate a bigger problem. >> > >> > If we are trying to pass in a negative value, which is not one >> > of enum values, using BlkDebugEvent as type is just confusing, >> > we should just pass int instead. >> >> AFAICT it's only possible to use the values listed in event_names in >> blkdebug.c, other values are rejected. So the check should actually be >> an assert() or it could even be removed. > > Sounds good. > >> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the >> >> >> check? Then if the value changes, the need to add the comparison back >> >> >> will be obvious. >> >> > >> >> > This would work but it's weird. The thing is it's currently a correct >> >> > code and the check may be useless but it's the optimiser's task to >> >> > remove it, not ours. The compiler is not able to tell whether the >> >> > check makes sense or nott, because the compiler only has access to >> >> > preprocessed code. So why should you let the compiler have anything >> >> > to say on it. >> >> >> >> Good point. I'll try to invent something better. >> > >> > Use #pragma to supress the warning? Maybe we could wrap this in a macro .. >> >> Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. >> >> I think the assertion is still the best way, it ensures that something >> will happen if OMAP_EMIFS_BASE changes. We could for example remove >> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone >> adding a new define could still forget to adjust the check anyway. > > We could replace it with a macro > #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) > but all this does look artificial. And of course using type casts > is always scary ... > > Would it help to have some inline functions that do the range checking > correctly? > We have a couple of range helpers in pci.h, these could be moved out > to range.h and we could add some more. As there act on u64 this will get > the type limits mostly automatically right. That seems to be the best solution, I get no warnings with this: diff --git a/hw/omap1.c b/hw/omap1.c index b00f870..8bf88e7 100644 --- a/hw/omap1.c +++ b/hw/omap1.c @@ -3672,14 +3672,25 @@ static int omap_validate_emiff_addr(struct omap_mpu_state_s *s, return addr >= OMAP_EMIFF_BASE && addr < OMAP_EMIFF_BASE + s->sdram_size; } +/* Get last byte of a range from offset + length. + * Undefined for ranges that wrap around 0. */ +static inline uint64_t range_get_last(uint64_t offset, uint64_t len) +{ +return offset + len - 1; +} + +/* Check whether a given range covers a given byte. */ +static inline int range_covers_byte(uint64_t offset, uint64_t len, +uint64_t byte) +{ +return offset <= byte && byte <= range_get_last(offset, len); +} + static int omap_validate_emifs_addr(struct omap_mpu_state_s *s, target_phys_addr_t addr) { -/* If OMAP_EMIFS_BASE ever becomes nonzero, adjust the check below - to also include the lower bound check like - addr >= OMAP_EMIFS_BASE && addr < OMAP_EMIFF_BASE */ -assert(OMAP_EMIFS_BASE == 0); -return addr < OMAP_EMIFF_BASE; +return range_covers_byte(OMAP_EMIFS_BASE, + OMAP_EMIFF_BASE - OMAP_EMIFS_BASE, addr); } static int omap_validate_imif_addr(struct omap_mpu_state_s *s, I'll add range.h and respin the patches.
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >> In the unsigned number space, the checks can be merged into one, >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >> could have: >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> This would also implement the check that the writer of this code was >> trying to make. >> The important thing to note is however is that the check as it is now >> is not correct. > > I agree. But it seems to indicate a bigger problem. > > If we are trying to pass in a negative value, which is not one > of enum values, using BlkDebugEvent as type is just confusing, > we should just pass int instead. AFAICT it's only possible to use the values listed in event_names in blkdebug.c, other values are rejected. So the check should actually be an assert() or it could even be removed. >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the >> >> check? Then if the value changes, the need to add the comparison back >> >> will be obvious. >> > >> > This would work but it's weird. The thing is it's currently a correct >> > code and the check may be useless but it's the optimiser's task to >> > remove it, not ours. The compiler is not able to tell whether the >> > check makes sense or nott, because the compiler only has access to >> > preprocessed code. So why should you let the compiler have anything >> > to say on it. >> >> Good point. I'll try to invent something better. > > Use #pragma to supress the warning? Maybe we could wrap this in a macro .. Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. I think the assertion is still the best way, it ensures that something will happen if OMAP_EMIFS_BASE changes. We could for example remove OMAP_EMIFS_BASE entirely (it's only used for the check), but someone adding a new define could still forget to adjust the check anyway.
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: > In the unsigned number space, the checks can be merged into one, > assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we > could have: > -if (event < 0 || event >= BLKDBG_EVENT_MAX) { > +if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { > > This would also implement the check that the writer of this code was > trying to make. > The important thing to note is however is that the check as it is now > is not correct. I agree. But it seems to indicate a bigger problem. If we are trying to pass in a negative value, which is not one of enum values, using BlkDebugEvent as type is just confusing, we should just pass int instead. > >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the > >> check? Then if the value changes, the need to add the comparison back > >> will be obvious. > > > > This would work but it's weird. The thing is it's currently a correct > > code and the check may be useless but it's the optimiser's task to > > remove it, not ours. The compiler is not able to tell whether the > > check makes sense or nott, because the compiler only has access to > > preprocessed code. So why should you let the compiler have anything > > to say on it. > > Good point. I'll try to invent something better. Use #pragma to supress the warning? Maybe we could wrap this in a macro .. -- MST
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 05, 2010 at 09:44:01AM +, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: > > On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: > >> On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: > >> > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: > >> >> In the unsigned number space, the checks can be merged into one, > >> >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we > >> >> could have: > >> >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { > >> >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { > >> >> > >> >> This would also implement the check that the writer of this code was > >> >> trying to make. > >> >> The important thing to note is however is that the check as it is now > >> >> is not correct. > >> > > >> > I agree. But it seems to indicate a bigger problem. > >> > > >> > If we are trying to pass in a negative value, which is not one > >> > of enum values, using BlkDebugEvent as type is just confusing, > >> > we should just pass int instead. > >> > >> AFAICT it's only possible to use the values listed in event_names in > >> blkdebug.c, other values are rejected. So the check should actually be > >> an assert() or it could even be removed. > > > > Sounds good. > > > >> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the > >> >> >> check? Then if the value changes, the need to add the comparison back > >> >> >> will be obvious. > >> >> > > >> >> > This would work but it's weird. The thing is it's currently a correct > >> >> > code and the check may be useless but it's the optimiser's task to > >> >> > remove it, not ours. The compiler is not able to tell whether the > >> >> > check makes sense or nott, because the compiler only has access to > >> >> > preprocessed code. So why should you let the compiler have anything > >> >> > to say on it. > >> >> > >> >> Good point. I'll try to invent something better. > >> > > >> > Use #pragma to supress the warning? Maybe we could wrap this in a macro > >> > .. > >> > >> Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. > >> > >> I think the assertion is still the best way, it ensures that something > >> will happen if OMAP_EMIFS_BASE changes. We could for example remove > >> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone > >> adding a new define could still forget to adjust the check anyway. > > > > We could replace it with a macro > > #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) > > but all this does look artificial. And of course using type casts > > is always scary ... > > > > Would it help to have some inline functions that do the range checking > > correctly? > > We have a couple of range helpers in pci.h, these could be moved out > > to range.h and we could add some more. As there act on u64 this will get > > the type limits mostly automatically right. > > That seems to be the best solution, I get no warnings with this: > > diff --git a/hw/omap1.c b/hw/omap1.c > index b00f870..8bf88e7 100644 > --- a/hw/omap1.c > +++ b/hw/omap1.c > @@ -3672,14 +3672,25 @@ static int omap_validate_emiff_addr(struct > omap_mpu_state_s *s, > return addr >= OMAP_EMIFF_BASE && addr < OMAP_EMIFF_BASE + s->sdram_size; > } > > +/* Get last byte of a range from offset + length. > + * Undefined for ranges that wrap around 0. */ > +static inline uint64_t range_get_last(uint64_t offset, uint64_t len) > +{ > +return offset + len - 1; > +} > + > +/* Check whether a given range covers a given byte. */ > +static inline int range_covers_byte(uint64_t offset, uint64_t len, > +uint64_t byte) > +{ > +return offset <= byte && byte <= range_get_last(offset, len); > +} > + > static int omap_validate_emifs_addr(struct omap_mpu_state_s *s, > target_phys_addr_t addr) > { > -/* If OMAP_EMIFS_BASE ever becomes nonzero, adjust the check below > - to also include the lower bound check like > - addr >= OMAP_EMIFS_BASE && addr < OMAP_EMIFF_BASE */ > -assert(OMAP_EMIFS_BASE == 0); > -return addr < OMAP_EMIFF_BASE; > +return range_covers_byte(OMAP_EMIFS_BASE, > + OMAP_EMIFF_BASE - OMAP_EMIFS_BASE, addr); > } > > static int omap_validate_imif_addr(struct omap_mpu_state_s *s, > > I'll add range.h and respin the patches. BTW, maybe we want a variant of range_covers_byte that gets first and after last byte values, but so far we could not come up with good name for that function, and 1 after last semantics might be confusing. One small comment: these are currenly wrong if the range wraps around to 0 - and there's a comment that says so there. This was never a problem for pci, but it might be if we are making them generic. -- MST
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: > > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: > >> In the unsigned number space, the checks can be merged into one, > >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we > >> could have: > >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { > >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { > >> > >> This would also implement the check that the writer of this code was > >> trying to make. > >> The important thing to note is however is that the check as it is now > >> is not correct. > > > > I agree. But it seems to indicate a bigger problem. > > > > If we are trying to pass in a negative value, which is not one > > of enum values, using BlkDebugEvent as type is just confusing, > > we should just pass int instead. > > AFAICT it's only possible to use the values listed in event_names in > blkdebug.c, other values are rejected. So the check should actually be > an assert() or it could even be removed. Sounds good. > >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the > >> >> check? Then if the value changes, the need to add the comparison back > >> >> will be obvious. > >> > > >> > This would work but it's weird. The thing is it's currently a correct > >> > code and the check may be useless but it's the optimiser's task to > >> > remove it, not ours. The compiler is not able to tell whether the > >> > check makes sense or nott, because the compiler only has access to > >> > preprocessed code. So why should you let the compiler have anything > >> > to say on it. > >> > >> Good point. I'll try to invent something better. > > > > Use #pragma to supress the warning? Maybe we could wrap this in a macro .. > > Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. > > I think the assertion is still the best way, it ensures that something > will happen if OMAP_EMIFS_BASE changes. We could for example remove > OMAP_EMIFS_BASE entirely (it's only used for the check), but someone > adding a new define could still forget to adjust the check anyway. We could replace it with a macro #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) but all this does look artificial. And of course using type casts is always scary ... Would it help to have some inline functions that do the range checking correctly? We have a couple of range helpers in pci.h, these could be moved out to range.h and we could add some more. As there act on u64 this will get the type limits mostly automatically right. -- MST
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On 5 September 2010 11:44, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: >> On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: >>> On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: >>> > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >>> >> In the unsigned number space, the checks can be merged into one, >>> >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >>> >> could have: >>> >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >>> >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >>> >> >>> >> This would also implement the check that the writer of this code was >>> >> trying to make. >>> >> The important thing to note is however is that the check as it is now >>> >> is not correct. I agree, assuming that an enum can reach 0x8000 different values, perhaps the current code is not ideal. Still I think calling it "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as calling patches that remove a warning a "fix", they are workarounds) >>> > >>> > I agree. But it seems to indicate a bigger problem. >>> > >>> > If we are trying to pass in a negative value, which is not one >>> > of enum values, using BlkDebugEvent as type is just confusing, >>> > we should just pass int instead. >>> >>> AFAICT it's only possible to use the values listed in event_names in >>> blkdebug.c, other values are rejected. So the check should actually be >>> an assert() or it could even be removed. >> >> Sounds good. >> >>> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the >>> >> >> check? Then if the value changes, the need to add the comparison back >>> >> >> will be obvious. >>> >> > >>> >> > This would work but it's weird. The thing is it's currently a correct >>> >> > code and the check may be useless but it's the optimiser's task to >>> >> > remove it, not ours. The compiler is not able to tell whether the >>> >> > check makes sense or nott, because the compiler only has access to >>> >> > preprocessed code. So why should you let the compiler have anything >>> >> > to say on it. >>> >> >>> >> Good point. I'll try to invent something better. >>> > >>> > Use #pragma to supress the warning? Maybe we could wrap this in a macro .. >>> >>> Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. >>> >>> I think the assertion is still the best way, it ensures that something >>> will happen if OMAP_EMIFS_BASE changes. We could for example remove >>> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone >>> adding a new define could still forget to adjust the check anyway. >> >> We could replace it with a macro >> #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) >> but all this does look artificial. And of course using type casts >> is always scary ... >> >> Would it help to have some inline functions that do the range checking >> correctly? >> We have a couple of range helpers in pci.h, these could be moved out >> to range.h and we could add some more. As there act on u64 this will get >> the type limits mostly automatically right. > > That seems to be the best solution, I get no warnings with this: While the resulting code is clean (just as the current code), I think it really shows that this warning should not be enabled. At this point you find yourself working around your compiler and potentially forcing other write some really strange code to work around the problem caused by this. There are many warnings that should not be enabled by default for this reason (like the uninitialised variable warning) unless they are fixed to be really intelligent (which is unlikely in this case). Cheers
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 3:26 PM, andrzej zaborowski wrote: > On 5 September 2010 11:44, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: >>> On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >> In the unsigned number space, the checks can be merged into one, >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >> could have: >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> This would also implement the check that the writer of this code was >> trying to make. >> The important thing to note is however is that the check as it is now >> is not correct. > > I agree, assuming that an enum can reach 0x8000 different values, > perhaps the current code is not ideal. Still I think calling it > "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as > calling patches that remove a warning a "fix", they are workarounds) On what basis do you still claim that? I think I explained the problem at detail. There is a bug. I have a fix for the bug. The fix is not a workaround, except maybe for committee-induced stupidity which created the enum signedness ambiguity in the first place. > I agree. But it seems to indicate a bigger problem. > > If we are trying to pass in a negative value, which is not one > of enum values, using BlkDebugEvent as type is just confusing, > we should just pass int instead. AFAICT it's only possible to use the values listed in event_names in blkdebug.c, other values are rejected. So the check should actually be an assert() or it could even be removed. >>> >>> Sounds good. >>> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the >> >> check? Then if the value changes, the need to add the comparison back >> >> will be obvious. >> > >> > This would work but it's weird. The thing is it's currently a correct >> > code and the check may be useless but it's the optimiser's task to >> > remove it, not ours. The compiler is not able to tell whether the >> > check makes sense or nott, because the compiler only has access to >> > preprocessed code. So why should you let the compiler have anything >> > to say on it. >> >> Good point. I'll try to invent something better. > > Use #pragma to supress the warning? Maybe we could wrap this in a macro > .. Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. I think the assertion is still the best way, it ensures that something will happen if OMAP_EMIFS_BASE changes. We could for example remove OMAP_EMIFS_BASE entirely (it's only used for the check), but someone adding a new define could still forget to adjust the check anyway. >>> >>> We could replace it with a macro >>> #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) >>> but all this does look artificial. And of course using type casts >>> is always scary ... >>> >>> Would it help to have some inline functions that do the range checking >>> correctly? >>> We have a couple of range helpers in pci.h, these could be moved out >>> to range.h and we could add some more. As there act on u64 this will get >>> the type limits mostly automatically right. >> >> That seems to be the best solution, I get no warnings with this: > > While the resulting code is clean (just as the current code), I think > it really shows that this warning should not be enabled. At this > point you find yourself working around your compiler and potentially > forcing other write some really strange code to work around the > problem caused by this. The warnings generated by -Wtype-limits are very useful, because with it I have found several bugs in the code. Even the patches that are not bugs fixes are cleanups, not 'some really strange code'. Please take a look at the 15 piece patch set I sent last, the patches identify the problems better than this one you are replying to. Which ones do you still think are only workarounds? Please be more specific. > There are many warnings that should not be enabled by default for this > reason (like the uninitialised variable warning) unless they are fixed > to be really intelligent (which is unlikely in this case). Please review the latest set of patches and provide hard facts to support your claims.
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On 5 September 2010 18:15, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 3:26 PM, andrzej zaborowski wrote: >> On 5 September 2010 11:44, Blue Swirl wrote: >>> On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin > wrote: > > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: > >> In the unsigned number space, the checks can be merged into one, > >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we > >> could have: > >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { > >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { > >> > >> This would also implement the check that the writer of this code was > >> trying to make. > >> The important thing to note is however is that the check as it is now > >> is not correct. >> >> I agree, assuming that an enum can reach 0x8000 different values, >> perhaps the current code is not ideal. Still I think calling it >> "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as >> calling patches that remove a warning a "fix", they are workarounds) > > On what basis do you still claim that? I wanted to ask the same question. Without constants in the definition, the values of an enum range from 0 to N-1. You explained that if the enum had INT_MAX different values, then the signedness of the values would matter (but for it to be signed would require it to have constants again, which is not the case for enumerations of types of an event). Can an enum even have INT_MAX values? It for sure can't have UINT_MAX values. You failed to give an example value which would make any difference in the result of the check. Perhaps I'm misunderstanding where you see the bug. > I think I explained the problem > at detail. There is a bug. I have a fix for the bug. The fix is not a > workaround, except maybe for committee-induced stupidity which created > the enum signedness ambiguity in the first place. > > > I agree. But it seems to indicate a bigger problem. > > > > If we are trying to pass in a negative value, which is not one > > of enum values, using BlkDebugEvent as type is just confusing, > > we should just pass int instead. > > AFAICT it's only possible to use the values listed in event_names in > blkdebug.c, other values are rejected. So the check should actually be > an assert() or it could even be removed. Sounds good. > >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out the > >> >> check? Then if the value changes, the need to add the comparison > >> >> back > >> >> will be obvious. > >> > > >> > This would work but it's weird. The thing is it's currently a > >> > correct > >> > code and the check may be useless but it's the optimiser's task to > >> > remove it, not ours. The compiler is not able to tell whether the > >> > check makes sense or nott, because the compiler only has access to > >> > preprocessed code. So why should you let the compiler have anything > >> > to say on it. > >> > >> Good point. I'll try to invent something better. > > > > Use #pragma to supress the warning? Maybe we could wrap this in a macro > > .. > > Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. > > I think the assertion is still the best way, it ensures that something > will happen if OMAP_EMIFS_BASE changes. We could for example remove > OMAP_EMIFS_BASE entirely (it's only used for the check), but someone > adding a new define could still forget to adjust the check anyway. We could replace it with a macro #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) but all this does look artificial. And of course using type casts is always scary ... Would it help to have some inline functions that do the range checking correctly? We have a couple of range helpers in pci.h, these could be moved out to range.h and we could add some more. As there act on u64 this will get the type limits mostly automatically right. >>> >>> That seems to be the best solution, I get no warnings with this: >> >> While the resulting code is clean (just as the current code), I think >> it really shows that this warning should not be enabled. At this >> point you find yourself working around your compiler and potentially >> forcing other write some really strange code to work around the >> problem caused by this. > > The warnings generated by -Wtype-limits are very useful, because with > it I have found several bugs in the code. Is that an argument for enabling a warning *by default*? Looking at any specific part of the code you'll find bugs. If you enable some warning, it'll hint on a given subset of the places in the code,
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On 5 September 2010 19:02, andrzej zaborowski wrote: > Patches 05, 06, 07, 09, 11, 14, 15 all replace one version of the code > with a different that achieves the exact same functionality for all Sorry, patch 11 is a fix (unrelated to the warning though). Cheers
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 5:02 PM, andrzej zaborowski wrote: > On 5 September 2010 18:15, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 3:26 PM, andrzej zaborowski wrote: >>> On 5 September 2010 11:44, Blue Swirl wrote: On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin wrote: > On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin >> wrote: >> > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >> >> In the unsigned number space, the checks can be merged into one, >> >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >> >> could have: >> >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> >> >> This would also implement the check that the writer of this code was >> >> trying to make. >> >> The important thing to note is however is that the check as it is now >> >> is not correct. >>> >>> I agree, assuming that an enum can reach 0x8000 different values, >>> perhaps the current code is not ideal. Still I think calling it >>> "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as >>> calling patches that remove a warning a "fix", they are workarounds) >> >> On what basis do you still claim that? > > I wanted to ask the same question. Without constants in the > definition, the values of an enum range from 0 to N-1. You explained > that if the enum had INT_MAX different values, then the signedness of > the values would matter I never said anything about INT_MAX different values, you did. > (but for it to be signed would require it to > have constants again, which is not the case for enumerations of types > of an event). Can an enum even have INT_MAX values? It for sure > can't have UINT_MAX values. You failed to give an example value which > would make any difference in the result of the check. Perhaps I'm > misunderstanding where you see the bug. Yes, please read the discussion again. Especially my message with the example program. >> I think I explained the problem >> at detail. There is a bug. I have a fix for the bug. The fix is not a >> workaround, except maybe for committee-induced stupidity which created >> the enum signedness ambiguity in the first place. >> >> > I agree. But it seems to indicate a bigger problem. >> > >> > If we are trying to pass in a negative value, which is not one >> > of enum values, using BlkDebugEvent as type is just confusing, >> > we should just pass int instead. >> >> AFAICT it's only possible to use the values listed in event_names in >> blkdebug.c, other values are rejected. So the check should actually be >> an assert() or it could even be removed. > > Sounds good. > >> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out >> >> >> the >> >> >> check? Then if the value changes, the need to add the comparison >> >> >> back >> >> >> will be obvious. >> >> > >> >> > This would work but it's weird. The thing is it's currently a >> >> > correct >> >> > code and the check may be useless but it's the optimiser's task to >> >> > remove it, not ours. The compiler is not able to tell whether the >> >> > check makes sense or nott, because the compiler only has access to >> >> > preprocessed code. So why should you let the compiler have anything >> >> > to say on it. >> >> >> >> Good point. I'll try to invent something better. >> > >> > Use #pragma to supress the warning? Maybe we could wrap this in a >> > macro .. >> >> Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. >> >> I think the assertion is still the best way, it ensures that something >> will happen if OMAP_EMIFS_BASE changes. We could for example remove >> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone >> adding a new define could still forget to adjust the check anyway. > > We could replace it with a macro > #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < > OMAP_EMIFF_BASE) > but all this does look artificial. And of course using type casts > is always scary ... > > Would it help to have some inline functions that do the range checking > correctly? > We have a couple of range helpers in pci.h, these could be moved out > to range.h and we could add some more. As there act on u64 this will get > the type limits mostly automatically right. That seems to be the best solution, I get no warnings with this: >>> >>> While the resulting code is clean (just as the current code), I think >>> it really shows that this warning should not be enabled. At this >>> point you find yourself working around your compiler and potentially >>> forcing other write some really strange code to work around the >>> pro
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On 5 September 2010 21:16, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 5:02 PM, andrzej zaborowski wrote: >> On 5 September 2010 18:15, Blue Swirl wrote: >>> On Sun, Sep 5, 2010 at 3:26 PM, andrzej zaborowski >>> wrote: On 5 September 2010 11:44, Blue Swirl wrote: > On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin > wrote: >> On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: >>> On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin >>> wrote: >>> > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >>> >> In the unsigned number space, the checks can be merged into one, >>> >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >>> >> could have: >>> >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >>> >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >>> >> >>> >> This would also implement the check that the writer of this code was >>> >> trying to make. >>> >> The important thing to note is however is that the check as it is now >>> >> is not correct. I agree, assuming that an enum can reach 0x8000 different values, perhaps the current code is not ideal. Still I think calling it "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as calling patches that remove a warning a "fix", they are workarounds) >>> >>> On what basis do you still claim that? >> >> I wanted to ask the same question. Without constants in the >> definition, the values of an enum range from 0 to N-1. You explained >> that if the enum had INT_MAX different values, then the signedness of >> the values would matter > > I never said anything about INT_MAX different values, you did. You said a BLKDBG_EVENT_MAX >= 0x8000 and that the enum has to be signed, how will that happen? > >> (but for it to be signed would require it to >> have constants again, which is not the case for enumerations of types >> of an event). Can an enum even have INT_MAX values? It for sure >> can't have UINT_MAX values. You failed to give an example value which >> would make any difference in the result of the check. Perhaps I'm >> misunderstanding where you see the bug. > > Yes, please read the discussion again. Especially my message with the > example program. I've re-read it and confirmed that you failed to show a scenario that the check does not address. I'm trying to understand why you call this code buggy. The line is if (event < 0 || event >= BLKDBG_EVENT_MAX) { and it assures that an out-of-range value of "event" will not get used. > >>> I think I explained the problem >>> at detail. There is a bug. I have a fix for the bug. The fix is not a >>> workaround, except maybe for committee-induced stupidity which created >>> the enum signedness ambiguity in the first place. >>> >>> > I agree. But it seems to indicate a bigger problem. >>> > >>> > If we are trying to pass in a negative value, which is not one >>> > of enum values, using BlkDebugEvent as type is just confusing, >>> > we should just pass int instead. >>> >>> AFAICT it's only possible to use the values listed in event_names in >>> blkdebug.c, other values are rejected. So the check should actually be >>> an assert() or it could even be removed. >> >> Sounds good. >> >>> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out >>> >> >> the >>> >> >> check? Then if the value changes, the need to add the comparison >>> >> >> back >>> >> >> will be obvious. >>> >> > >>> >> > This would work but it's weird. The thing is it's currently a >>> >> > correct >>> >> > code and the check may be useless but it's the optimiser's task to >>> >> > remove it, not ours. The compiler is not able to tell whether the >>> >> > check makes sense or nott, because the compiler only has access to >>> >> > preprocessed code. So why should you let the compiler have >>> >> > anything >>> >> > to say on it. >>> >> >>> >> Good point. I'll try to invent something better. >>> > >>> > Use #pragma to supress the warning? Maybe we could wrap this in a >>> > macro .. >>> >>> Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. >>> >>> I think the assertion is still the best way, it ensures that something >>> will happen if OMAP_EMIFS_BASE changes. We could for example remove >>> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone >>> adding a new define could still forget to adjust the check anyway. >> >> We could replace it with a macro >> #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < >> OMAP_EMIFF_BASE) >> but all this does look artificial. And of course using type casts >> is always scary ... >> >> Would it help to have some inline functions that do the range checking >> correctly? >> We have
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 8:32 PM, andrzej zaborowski wrote: > On 5 September 2010 21:16, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 5:02 PM, andrzej zaborowski wrote: >>> On 5 September 2010 18:15, Blue Swirl wrote: On Sun, Sep 5, 2010 at 3:26 PM, andrzej zaborowski wrote: > On 5 September 2010 11:44, Blue Swirl wrote: >> On Sun, Sep 5, 2010 at 9:26 AM, Michael S. Tsirkin >> wrote: >>> On Sun, Sep 05, 2010 at 09:06:10AM +, Blue Swirl wrote: On Sun, Sep 5, 2010 at 7:54 AM, Michael S. Tsirkin wrote: > On Sat, Sep 04, 2010 at 05:21:24PM +, Blue Swirl wrote: >> In the unsigned number space, the checks can be merged into one, >> assuming that BLKDBG_EVEN_MAX is less than INT_MAX. Alternatively we >> could have: >> - if (event < 0 || event >= BLKDBG_EVENT_MAX) { >> + if ((int)event < 0 || event >= BLKDBG_EVENT_MAX) { >> >> This would also implement the check that the writer of this code was >> trying to make. >> The important thing to note is however is that the check as it is >> now >> is not correct. > > I agree, assuming that an enum can reach 0x8000 different values, > perhaps the current code is not ideal. Still I think calling it > "wrong" is wrong, and calling your patch a "fix" is wrong. (Same as > calling patches that remove a warning a "fix", they are workarounds) On what basis do you still claim that? >>> >>> I wanted to ask the same question. Without constants in the >>> definition, the values of an enum range from 0 to N-1. You explained >>> that if the enum had INT_MAX different values, then the signedness of >>> the values would matter >> >> I never said anything about INT_MAX different values, you did. > > You said a BLKDBG_EVENT_MAX >= 0x8000 and that the enum has to be > signed, how will that happen? Please be more careful with your attributions. I did not say that either. The problem case is when BLKDBG_EVENT_MAX > 0x8000 and the type of enum is unsigned. This can happen easily by typedef enum { BLKDBG_EVENT_MAX = 0x8001, } BlkDebugEvent; >>> (but for it to be signed would require it to >>> have constants again, which is not the case for enumerations of types >>> of an event). Can an enum even have INT_MAX values? It for sure >>> can't have UINT_MAX values. You failed to give an example value which >>> would make any difference in the result of the check. Perhaps I'm >>> misunderstanding where you see the bug. >> >> Yes, please read the discussion again. Especially my message with the >> example program. > > I've re-read it and confirmed that you failed to show a scenario that > the check does not address. I'm trying to understand why you call > this code buggy. > > The line is if (event < 0 || event >= BLKDBG_EVENT_MAX) { and it > assures that an out-of-range value of "event" will not get used. The problem case is when BLKDBG_EVENT_MAX > 0x8000 and the type of enum is unsigned. Then the first check is ignored by the compiler and the second does not catch values which are between 0x8000 and BLKDBG_EVENT_MAX. This may not be what was desired by the check, though. Those values will be caught with the int cast, or if the compiler still happens to make the enum signed (for example, because BLKDBG_EVENT_MAX was changed to a #define in order to support compilers which don't allow too large enum values). I think I explained the problem at detail. There is a bug. I have a fix for the bug. The fix is not a workaround, except maybe for committee-induced stupidity which created the enum signedness ambiguity in the first place. > I agree. But it seems to indicate a bigger problem. > > If we are trying to pass in a negative value, which is not one > of enum values, using BlkDebugEvent as type is just confusing, > we should just pass int instead. AFAICT it's only possible to use the values listed in event_names in blkdebug.c, other values are rejected. So the check should actually be an assert() or it could even be removed. >>> >>> Sounds good. >>> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting out >> >> the >> >> check? Then if the value changes, the need to add the comparison >> >> back >> >> will be obvious. >> > >> > This would work but it's weird. The thing is it's currently a >> > correct >> > code and the check may be useless but it's the optimiser's task to >> > remove it, not ours. The compiler is not able to tell whether the >> > check makes sense or nott, because the compiler only has access to >> > preprocessed code. So why should you let the compiler have >> > anything >> > to say
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On 5 September 2010 23:44, Blue Swirl wrote: > The problem case is when BLKDBG_EVENT_MAX > 0x8000 and the type of > enum is unsigned. Then the first check is ignored by the compiler and > the second does not catch values which are between 0x8000 and > BLKDBG_EVENT_MAX. This may not be what was desired by the check, > though. > > Those values will be caught with the int cast, or if the compiler > still happens to make the enum signed (for example, because > BLKDBG_EVENT_MAX was changed to a #define in order to support > compilers which don't allow too large enum values). So you're actually talking about INT_MAX + 1, not 0x8000, the number depends on the abi. Quite clearly BLKDBG_EVENT_MAX is the max value in the enum so that the values can be used as indices of an array of a known size. I think it's safe to say it is < INT_MAX. > > I think I explained the problem > at detail. There is a bug. I have a fix for the bug. The fix is not a > workaround, except maybe for committee-induced stupidity which created > the enum signedness ambiguity in the first place. > > > I agree. But it seems to indicate a bigger problem. > > > > If we are trying to pass in a negative value, which is not one > > of enum values, using BlkDebugEvent as type is just confusing, > > we should just pass int instead. > > AFAICT it's only possible to use the values listed in event_names in > blkdebug.c, other values are rejected. So the check should actually be > an assert() or it could even be removed. Sounds good. > >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting > >> >> out the > >> >> check? Then if the value changes, the need to add the > >> >> comparison back > >> >> will be obvious. > >> > > >> > This would work but it's weird. The thing is it's currently a > >> > correct > >> > code and the check may be useless but it's the optimiser's task > >> > to > >> > remove it, not ours. The compiler is not able to tell whether > >> > the > >> > check makes sense or nott, because the compiler only has access > >> > to > >> > preprocessed code. So why should you let the compiler have > >> > anything > >> > to say on it. > >> > >> Good point. I'll try to invent something better. > > > > Use #pragma to supress the warning? Maybe we could wrap this in a > > macro .. > > Those lines may also desynch silently with changes to OMAP_EMIFS_BASE. > > I think the assertion is still the best way, it ensures that something > will happen if OMAP_EMIFS_BASE changes. We could for example remove > OMAP_EMIFS_BASE entirely (it's only used for the check), but someone > adding a new define could still forget to adjust the check anyway. We could replace it with a macro #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < OMAP_EMIFF_BASE) but all this does look artificial. And of course using type casts is always scary ... Would it help to have some inline functions that do the range checking correctly? We have a couple of range helpers in pci.h, these could be moved out to range.h and we could add some more. As there act on u64 this will get the type limits mostly automatically right. >>> >>> That seems to be the best solution, I get no warnings with this: >> >> While the resulting code is clean (just as the current code), I think >> it really shows that this warning should not be enabled. At this >> point you find yourself working around your compiler and potentially >> forcing other write some really strange code to work around the >> problem caused by this. > > The warnings generated by -Wtype-limits are very useful, because with > it I have found several bugs in the code. Is that an argument for enabling a warning *by default*? Looking at any specific part of the code you'll find bugs. If you enable some warning, it'll hint on a given subset of the places in the code, some of which are bugs and some are false-positives. Enable a different warning and you get a different subset. Grep for any given keyword or constant and you get a different subset. >>> >>> Right, so when we enable *by default* the warning, buggy code (and >>> unfortunately the false positives, if any) will not be committed. >> >> Ok, so "malloc causes memory leeks, let's forbid dynamic allocation", right? > > The questionable malloc policies of your employer have nothing to do > with this. If you don't agree with them, you can argue for a change in > the rules or seek employment in a company without
[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits
On Sun, Sep 5, 2010 at 10:33 PM, andrzej zaborowski wrote: > On 5 September 2010 23:44, Blue Swirl wrote: >> The problem case is when BLKDBG_EVENT_MAX > 0x8000 and the type of >> enum is unsigned. Then the first check is ignored by the compiler and >> the second does not catch values which are between 0x8000 and >> BLKDBG_EVENT_MAX. This may not be what was desired by the check, >> though. >> >> Those values will be caught with the int cast, or if the compiler >> still happens to make the enum signed (for example, because >> BLKDBG_EVENT_MAX was changed to a #define in order to support >> compilers which don't allow too large enum values). > > So you're actually talking about INT_MAX + 1, not 0x8000, the > number depends on the abi. > > Quite clearly BLKDBG_EVENT_MAX is the max value in the enum so that > the values can be used as indices of an array of a known size. I > think it's safe to say it is < INT_MAX. > >> >> I think I explained the problem >> at detail. There is a bug. I have a fix for the bug. The fix is not a >> workaround, except maybe for committee-induced stupidity which created >> the enum signedness ambiguity in the first place. >> >> > I agree. But it seems to indicate a bigger problem. >> > >> > If we are trying to pass in a negative value, which is not one >> > of enum values, using BlkDebugEvent as type is just confusing, >> > we should just pass int instead. >> >> AFAICT it's only possible to use the values listed in event_names in >> blkdebug.c, other values are rejected. So the check should actually >> be >> an assert() or it could even be removed. > > Sounds good. > >> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting >> >> >> out the >> >> >> check? Then if the value changes, the need to add the >> >> >> comparison back >> >> >> will be obvious. >> >> > >> >> > This would work but it's weird. The thing is it's currently a >> >> > correct >> >> > code and the check may be useless but it's the optimiser's task >> >> > to >> >> > remove it, not ours. The compiler is not able to tell whether >> >> > the >> >> > check makes sense or nott, because the compiler only has access >> >> > to >> >> > preprocessed code. So why should you let the compiler have >> >> > anything >> >> > to say on it. >> >> >> >> Good point. I'll try to invent something better. >> > >> > Use #pragma to supress the warning? Maybe we could wrap this in a >> > macro .. >> >> Those lines may also desynch silently with changes to >> OMAP_EMIFS_BASE. >> >> I think the assertion is still the best way, it ensures that >> something >> will happen if OMAP_EMIFS_BASE changes. We could for example remove >> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone >> adding a new define could still forget to adjust the check anyway. > > We could replace it with a macro > #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < > OMAP_EMIFF_BASE) > but all this does look artificial. And of course using type casts > is always scary ... > > Would it help to have some inline functions that do the range > checking correctly? > We have a couple of range helpers in pci.h, these could be moved out > to range.h and we could add some more. As there act on u64 this will > get > the type limits mostly automatically right. That seems to be the best solution, I get no warnings with this: >>> >>> While the resulting code is clean (just as the current code), I think >>> it really shows that this warning should not be enabled. At this >>> point you find yourself working around your compiler and potentially >>> forcing other write some really strange code to work around the >>> problem caused by this. >> >> The warnings generated by -Wtype-limits are very useful, because with >> it I have found several bugs in the code. > > Is that an argument for enabling a warning *by default*? Looking at > any specific part of the code you'll find bugs. If you enable some > warning, it'll hint on a given subset of the places in the code, some > of which are bugs and some are false-positives. Enable a different > warning and you get a different subset. Grep for any given keyword or > constant and you get a different subset. Right, so when we enable *by default* the warning, buggy code (and unfortunately the false positives, if any) will not be committed. >>> >>> Ok, so "malloc causes memory leeks, let's forbid dynamic allocation",