[Qemu-devel] Re: [PATCH 1/5] Suppress some gcc warnings with -Wtype-limits

[Blue Swirl]

On Sun, Sep 5, 2010 at 10:33 PM, andrzej zaborowski <address@hidden> wrote:
> On 5 September 2010 23:44, Blue Swirl <address@hidden> wrote:
>> The problem case is when BLKDBG_EVENT_MAX > 0x80000000 and the type of
>> enum is unsigned. Then the first check is ignored by the compiler and
>> the second does not catch values which are between 0x80000000 and
>> BLKDBG_EVENT_MAX. This may not be what was desired by the check,
>> though.
>>
>> Those values will be caught with the int cast, or if the compiler
>> still happens to make the enum signed (for example, because
>> BLKDBG_EVENT_MAX was changed to a #define in order to support
>> compilers which don't allow too large enum values).
>
> So you're actually talking about INT_MAX + 1, not 0x80000000, the
> number depends on the abi.
>
> Quite clearly BLKDBG_EVENT_MAX is the max value in the enum so that
> the values can be used as indices of an array of a known size.  I
> think it's safe to say it is < INT_MAX.
>
>>
>>>>>> I think I explained the problem
>>>>>> at detail. There is a bug. I have a fix for the bug. The fix is not a
>>>>>> workaround, except maybe for committee-induced stupidity which created
>>>>>> the enum signedness ambiguity in the first place.
>>>>>>
>>>>>>>>>> > I agree. But it seems to indicate a bigger problem.
>>>>>>>>>> >
>>>>>>>>>> > If we are trying to pass in a negative value, which is not one
>>>>>>>>>> > of enum values, using BlkDebugEvent as type is just confusing,
>>>>>>>>>> > we should just pass int instead.
>>>>>>>>>>
>>>>>>>>>> AFAICT it's only possible to use the values listed in event_names in
>>>>>>>>>> blkdebug.c, other values are rejected. So the check should actually 
>>>>>>>>>> be
>>>>>>>>>> an assert() or it could even be removed.
>>>>>>>>>
>>>>>>>>> Sounds good.
>>>>>>>>>
>>>>>>>>>> >> >> How about adding assert(OMAP_EMIFS_BASE == 0) and commenting 
>>>>>>>>>> >> >> out the
>>>>>>>>>> >> >> check? Then if the value changes, the need to add the 
>>>>>>>>>> >> >> comparison back
>>>>>>>>>> >> >> will be obvious.
>>>>>>>>>> >> >
>>>>>>>>>> >> > This would work but it's weird.  The thing is it's currently a 
>>>>>>>>>> >> > correct
>>>>>>>>>> >> > code and the check may be useless but it's the optimiser's task 
>>>>>>>>>> >> > to
>>>>>>>>>> >> > remove it, not ours.  The compiler is not able to tell whether 
>>>>>>>>>> >> > the
>>>>>>>>>> >> > check makes sense or nott, because the compiler only has access 
>>>>>>>>>> >> > to
>>>>>>>>>> >> > preprocessed code.  So why should you let the compiler have 
>>>>>>>>>> >> > anything
>>>>>>>>>> >> > to say on it.
>>>>>>>>>> >>
>>>>>>>>>> >> Good point. I'll try to invent something better.
>>>>>>>>>> >
>>>>>>>>>> > Use #pragma to supress the warning? Maybe we could wrap this in a 
>>>>>>>>>> > macro ..
>>>>>>>>>>
>>>>>>>>>> Those lines may also desynch silently with changes to 
>>>>>>>>>> OMAP_EMIFS_BASE.
>>>>>>>>>>
>>>>>>>>>> I think the assertion is still the best way, it ensures that 
>>>>>>>>>> something
>>>>>>>>>> will happen if OMAP_EMIFS_BASE changes. We could for example remove
>>>>>>>>>> OMAP_EMIFS_BASE entirely (it's only used for the check), but someone
>>>>>>>>>> adding a new define could still forget to adjust the check anyway.
>>>>>>>>>
>>>>>>>>> We could replace it with a macro
>>>>>>>>> #define OMAP_EMIFS_VALID(addr) ((target_phys_addr_t)addr < 
>>>>>>>>> OMAP_EMIFF_BASE)
>>>>>>>>> but all this does look artificial. And of course using type casts
>>>>>>>>> is always scary ...
>>>>>>>>>
>>>>>>>>> Would it help to have some inline functions that do the range 
>>>>>>>>> checking correctly?
>>>>>>>>> We have a couple of range helpers in pci.h, these could be moved out
>>>>>>>>> to range.h and we could add some more. As there act on u64 this will 
>>>>>>>>> get
>>>>>>>>> the type limits mostly automatically right.
>>>>>>>>
>>>>>>>> That seems to be the best solution, I get no warnings with this:
>>>>>>>
>>>>>>> While the resulting code is clean (just as the current code), I think
>>>>>>> it really shows that this warning should not be enabled.  At this
>>>>>>> point you find yourself working around your compiler and potentially
>>>>>>> forcing other write some really strange code to work around the
>>>>>>> problem caused by this.
>>>>>>
>>>>>> The warnings generated by -Wtype-limits are very useful, because with
>>>>>> it I have found several bugs in the code.
>>>>>
>>>>> Is that an argument for enabling a warning *by default*?  Looking at
>>>>> any specific part of the code you'll find bugs. If you enable some
>>>>> warning, it'll hint on a given subset of the places in the code, some
>>>>> of which are bugs and some are false-positives.  Enable a different
>>>>> warning and you get a different subset.  Grep for any given keyword or
>>>>> constant and you get a different subset.
>>>>
>>>> Right, so when we enable *by default* the warning, buggy code (and
>>>> unfortunately the false positives, if any) will not be committed.
>>>
>>> Ok, so "malloc causes memory leeks, let's forbid dynamic allocation", right?
>>
>> The questionable malloc policies of your employer have nothing to do
>> with this. If you don't agree with them, you can argue for a change in
>> the rules or seek employment in a company without those rules.
>
> First, the policy is almost identical to the policy you're introducing
> so it has everything to do with this.  I'm pointing out what is an
> actual faulty generalisation.  Avoiding malloc or avoiding strcat or
> avoiding "if (0 <= 1)" is unlikely to reduce the number of bugs, quite
> the opposite.  It's identical to arguing against file sharing on the
> internet because illegal file sharing is possible, it's a faulty
> generalisation. (Criminals use cars => cars are evil)  See your
> statement above about buggy code not being committed.  (I've never
> been employed by Nokia.  But I know people who wanted to submit
> improvements to gpsd, which is the project that originally had this
> policy.)

I agree that the policy of using static allocations instead of using
malloc() will very likely generate more bugs, because people are not
used to think that way (uncommon policy) and the gap between the two
methods is not trivial. The cost is therefore big and benefit low.

Using pstrcat instead of strcat is much less of a problem: it's not
uncommon to avoid functions which may cause buffer overflows,
especially when writing hardened software and the conversion is often
trivial. The cost is then low but the benefit big.

I can't imagine how the conversions from avoiding -Wtype-limits
warnings can cause bugs. I then assume the cost is low but in any case
the benefit can be demonstrated to be big, see the bug fixes.

>>>>>> Even the patches that are
>>>>>> not bugs fixes are cleanups, not 'some really strange code'. Please
>>>>>> take a look at the 15 piece patch set I sent last, the patches
>>>>>> identify the problems better than this one you are replying to. Which
>>>>>> ones do you still think are only workarounds? Please be more specific.
>>>>>
>>>>> Patches 05, 06, 07, 09, 11, 14, 15 all replace one version of the code
>>>>> with a different that achieves the exact same functionality for all
>>>>> input values, what do they "fix"?
>>>>
>>>> 5: refactoring, as noted in pci.h, the code does not belong there.
>>>> 6: refactoring and cleanup using the range functions.
>>>> 7: cleanup leftover code.
>>>> 9: cleanup. We already had a hack in place because of mingw32
>>>> compiler, replace that with a cleaner approach.
>>>> 11: bug fix.
>>>> 14: cleanup. Hiding semicolons after comments is asking for trouble,
>>>> this is not obfuscated C contest.
>>>
>>> If you're used to reading one code style, other styles look like IOCCC
>>> to you
>>
>> Faulty generalization.
>>
>>>, there's no hiding anything.
>>
>> Even if you didn't intend to hide anything, putting the semicolons
>> immediately after comments certainly makes them less visible. I can't
>> see what could ever be the benefit of doing that, for example putting
>> the semicolon on a separate line would make much better sense to me.
>
> They're exactly equally good.

They are syntactically the same, but a human looking at the code will
have more problems when the semicolon is after the comment block.

But thank you, this amounts to you acking the separation of comments
and semicolons since either version is exactly equally good to you.

>>>> 15: cleanup, declarations belong to header files, not to .c files.
>>>
>>> So, skipping 11 (bugfix unrelated to the warnings), where are those
>>> "fixes"?  What is the improvement in behaviour?
>>
>> I did not claim all of the changes are bug fixes (again, please try be
>> more careful), some of them are cleanups.
>
> You asked which ones I thought were workarounds.  If you have to make
> an effort to satisfy the compiler warnings code then you have to
> re-think what the warnings are for.

To find bugs? Remember the bug fix to non bug fix ratio, which you
conveniently deleted from the discussion?

>  It really seems you want them
> enabled just because they exist.

I agree that this applies somewhat to #13, since the flags didn't
catch any bugs now. In my wishful thinking they may catch some in the
future. If any of them causes problems, it can be deleted without much
regret because we haven't seen the benefit.

I want the other flags enabled because they contribute positively to
the code quality.

It seems to me that you don't want to improve the quality of code but
want to stay in your comfort zone regardless of any improvement.