Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Feb 2015 18:18:55 +1100 (EST)
From:      Bruce Evans <brde@optusnet.com.au>
To:        "Bjoern A. Zeeb" <bz@freebsd.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, Pedro Giffuni <pfg@freebsd.org>, src-committers@freebsd.org
Subject:   Re: svn commit: r278634 - head/lib/libc/gen
Message-ID:  <20150213172738.C1007@besplex.bde.org>
In-Reply-To: <9A683D99-C1E9-4736-982C-69F583D3A40D@FreeBSD.org>
References:  <201502122107.t1CL7gaO004041@svn.freebsd.org> <BF5F2941-52F5-41A4-8723-E316919718EE@FreeBSD.org> <54DD2A87.2050008@FreeBSD.org> <9A683D99-C1E9-4736-982C-69F583D3A40D@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Feb 2015, Bjoern A. Zeeb wrote:

>> On 12 Feb 2015, at 22:34 , Pedro Giffuni <pfg@FreeBSD.org> wrote:
>>
>>
>> On 02/12/15 17:27, Bjoern A. Zeeb wrote:
>>>> On 12 Feb 2015, at 21:07 , Pedro F. Giffuni <pfg@FreeBSD.org> wrote:
>>>> ...
>>>> Log:
>>>>  ulimit(3): Fix broken check.
>>>> ...
>>> Did this compile?
>>
>> Yes! Any log message to share?
>
> Now I do again; had lost them due to buildworld starting over again:
>
> ===> lib/libc_nonshared (obj,depend,all,install)
> cc1: warnings being treated as errors
> /scratch/tmp/bz/head.svn/lib/libc/gen/ulimit.c: In function 'ulimit':
> /scratch/tmp/bz/head.svn/lib/libc/gen/ulimit.c:56: warning: comparison is always false due to limited range of data type
> /scratch/tmp/bz/head.svn/lib/libc/gen/ulimit.c:57: warning: overflow in implicit constant conversion
> --- ulimit.So ---
> *** [ulimit.So] Error code 1

Grump.  The first warning inhibits doing clean range checking.  Considered
the following simplified case:

 	long arg;

 	/*
 	 * We want to know if arg is representable as an rlim_t.  This is
 	 * remarkably difficult.  The following doesn't work due to
 	 * compiler zeal and other bugs:
 	 */
 	if (arg > RLIM_INFINITY)
 		err(...);

The check is false on all arches since RLIM_INFINITY happens to be >=
LONG_MAX, and excessively zealous compilers warn.

This omits complications for negative args (see below).  There are also
system bugs for negative args.  POSIX specifies that rlim_t shall be an
unsigned type, but in FreeBSD it is still a signed type like it always
was.  FreeBSD is also missing POSIX's magic values RLIM_SAVED_{MAX,CUR}
for handling unrepresentable values.  After fixing the type, these
could be used for the historical mishandling of historical negative
values and might even allow binary compatibility for those values.

The second warning is about a bug.  A last-minute change made the error
handling the same for all negative values (representable or not) as for
unrepresentable positive values.  But that doesn't work, since it give
an overflow in live code as well as in dead code.  We also depend on
the compiler understanding the range checking and not warning for overflows
in dead code.  The unsimplified code for this is:

 	if (arg > RLIM_INFINITY / 512)
 		arg = RLIM_INFINITY / 512;

or equivalently:

 	arg = MIN(arg, RLIM_INFINITY / 512);

The check is vacuously false on 64-bit arches only.  The assignment overflows
on 32-bit arches only.  So zealous compilers have something to warn about
in both lines.  We want a warning for only the second line iff it is live
and overflows.  This requires the compiler to understand when the first
line is vacuously false so that the second line is dead, but not warn
about the first line.

Other common forms of the range check shouldn't work any better:

 	if ((rlim_t)arg > RLIM_INFINITY)

If rlim_t were unsigned as specified by POSIX, then this cast would probably
just be a bug.  Otherwise, it should have no effect in the vacuously false
case.  We depend on it having no effect so that the compiler knows when
the following code is dead.

 	rlim_t tmp;

 	tmp = arg;
 	if (tmp != arg)
 		err(1, "arg not representable by rlim_t");

The compiler should still be able to see when the comparison is vacuously
false.  This form of the comparison is also more difficult to write when
the limit is not simply the maximum for the type.  Here we want to multiply
by 512, but there may be no type that can hold the result.

This shows that the MIN() macro is hard to used with mixed types and
zealous compilers.  Using doesn't avoid many of the problems in the
imin() family.  With this family, you have to translate all typedefed
types to basic types and promote to a larger common type, if any.  This
tends to hide the original values, so the zealous compilers are not
smart enough to warn.  However, smart ones should see inside:

 	arg = llmin(arg, RLIM_INFINITY / 512);

and warn for it too.

Add complications for portability to BSD and POSIX for the full mess.
Translation of typedefed types for the imin() family becomes impossible
because there is no suitable larger common type in some cases; using
MIN() gives unwanted (un)sign extension in these cases.

Bruce



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150213172738.C1007>