[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH 3/4] xen/include: add pure and const attributes

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Simone Ballarin <simone.ballarin@xxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 23 Oct 2023 16:09:59 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X5LI3x2WEvbKEUrvYpwQ9OOcUIwm2RIVCjlxQutqqaI=; b=Nh/NwIofOrW2URv0uBYfdKXe+2QZ0t5pnzs3GKiSqxSt+r+GjgO94qicr7Jvo3qx0U2ZW3e1pzCzpmcvXOi4CXtjWPzEyFdCzaoarMKrMiKgv34TsCTww1ucrtLkCg3kDPGzmFTENNyGATIiObruGJzti/3NOLJdPvOfYKxVnexBe3SgN3nLXhrxUXyM4hFW8D1Mdf2+keewc21Ph0P7XYjf3CNhMeqj0hwGj2hZEyxuWGn1KWFkp3ImGUe86SP5Lds5zvoAybhbuVQqweRY+vf9vkgKwyj0wvdyklK5NrMe6Ew3qL8OTqV4Da4dsb1a+qDiXVABezx7XG6UFmv7Xw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fHm1c3nk0JkQ5UdWJ0BiqhRbcaUTOUYideiDTjoJ8bUBflITEmSNOvMuSk4p2PUc5F3KiEVgDDSyCJeQvq9LZZ29m8hKgk2+gbHdo77ZmwGylq6Q9fk8hpYq/KC9QvA0+eRcR28ksT8hveoDYnYMPJSF9Hs9B9UinraDMUgV4iwlc/hU3YlmvvQ3GVHTpxZ6SIeAoiGajcbc4yYe1JFQEQZQKI1baN/Y/t1q+SLFiL9WixmMsuCePG56nelTTeGV1a386Y9mm0XthRz9AWl2NoAv0zFLgghIQjJ+0nddTq8sDtN05V60b20XbUMXI9vAj+QUXtwshKXGNUm0VIS68A==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: consulting@xxxxxxxxxxx, sstabellini@xxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 23 Oct 2023 14:10:11 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 23.10.2023 15:51, Andrew Cooper wrote:
> On 23/10/2023 2:34 pm, Jan Beulich wrote:
>> On 18.10.2023 16:18, Simone Ballarin wrote:
>>> --- a/xen/include/xen/pdx.h
>>> +++ b/xen/include/xen/pdx.h
>>> @@ -164,7 +164,7 @@ static inline unsigned long pfn_to_pdx(unsigned long 
>>> pfn)
>>>   * @param pdx Page index
>>>   * @return Obtained pfn after decompressing the pdx
>>>   */
>>> -static inline unsigned long pdx_to_pfn(unsigned long pdx)
>>> +static inline __attribute_pure__ unsigned long pdx_to_pfn(unsigned long 
>>> pdx)
>>>  {
>>>      return (pdx & pfn_pdx_bottom_mask) |
>>>             ((pdx << pfn_pdx_hole_shift) & pfn_top_mask);
>> Taking this as an example for what I've said above: The compiler can't
>> know that the globals used by the functions won't change value. Even
>> within Xen it is only by convention that these variables are assigned
>> their values during boot, and then aren't changed anymore. Which makes
>> me wonder: Did you check carefully that around the time the variables
>> have their values established, no calls to the functions exist (which
>> might then be subject to folding)?
> 
> I was actually going to point this out, but hadn't found the words.
> 
> pdx_to_pfn() is not pure.  It violates the requirements for being
> declared pure, in a way that the compiler can see.

Hmm, I think you're remembering old wording in the doc. Nowadays it says
"However, functions declared with the pure attribute can safely read any
 nonvolatile objects, and modify the value of objects in a way that does
 not affect their return value or the observable state of the program."

To me this reads as if reads of globals are okay, constrained by the
generally single-threaded view a compiler takes.

Irrespective I agree that without said further checking (and perhaps
even some way of making sure the requirements can't be violated by
future changes), ...

> Right now, this will cause GCC to ignore the attribute, but who's to say
> that future GCCs don't start emitting a diagnostic (in which case we'd
> have to delete them to make them compile), or start honouring them (at
> which point this logic will start to malfunction around the boot time
> modification to the masks).
> 
> 
> It is undefined behaviour to intentionally lie to the compiler using
> attributes.  This is intentionally introducing undefined behaviour to
> placate Eclair.

... we'd effectively be lying to the compiler, putting ourselves at risk.

Jan

> So why are we bending over backwards to remove UB in other areas, but
> deliberately introducing here?  How does that conform with the spirit of
> MISRA?
> 
> ~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.