On Fri, Apr 30, 2021 at 05:21:24PM +0300, Andy Shevchenko wrote:
> On Fri, Apr 30, 2021 at 04:33:29PM +0300, Dan Carpenter wrote:
> > On Fri, Apr 30, 2021 at 03:53:44PM +0300, Andy Shevchenko wrote:
> > > On Fri, Apr 30, 2021 at 02:41:06PM +0300, Dan Carpenter wrote:
> > > > On Fri, Apr 30, 2021 at 11:46:07AM +0300, Andy Shevchenko wrote:
>
> ...
>
> > > > Why would I make it unsigned? As a static analysis developer,
> > > > pointlessly unsigned variables are one of the leading causes for the
> > > > bugs I see.
> > > >
> > > > There are times where a iterator counter needs to be unsigned long, or
> > > > u64 but I have never seen a case where changing an iterator from
> > > > "int i;" to "unsigned int i;" solves a real life kernel bug. It only
> > > > introduces bugs.
> > >
> > > See my followup to that, I meant
> > >
> > > unsigned int count;
> > >
> > > do {
> > > ...
> > > } while (--count);
> > >
> > > It doesn't solve bug, but prevents the code be read incorrectly like what you
> > > are fixing can be avoided with do {} while (); along with unsigned type.
> >
> > Why would you use an unsigned int for this???
>
> Why it should be signed? You clearly show the amount of iterations. Check for
> null I guess even compact in the assembly in comparison to -1.
>
> I do not see any point why it should be signed. For what purpose?
>
> It's a *down* counter.
Yeah. And people regularly test down counters for >= 0. Signed ints
are safer. Unsigned ints are a *leading* cause of bugs in the kernel.
I don't know if they're in the top five but they're definitely in the
top ten.
Also if you need a larger type you should switch to a 64 bit type. The
2-4 million range is very narrow.
I have never seen a single kernel bug where the for loop counter was
"int i;" and making it "unsigned int i;" fixed a real life kernel bug.
Of course, there are times when unsigned int is appropriate, like for
sizes or because it's in the spec.
It's frustrating to me because GCC encourages people to make loop
counters unsigned and it introduces bugs.
I'm looking at the git log right now and I see that someone changed:
void dt_to_asm(FILE *f, struct dt_info *dti, int version)
{
struct version_info *vi = NULL;
- int i;
+ unsigned int i;
struct data strbuf = empty_data;
struct reserve_info *re;
const char *symprefix = "dt";
There are two loops in that function:
for (i = 0; i < ARRAY_SIZE(version_table); i++) {
This the one that generates the warning. GCC knows at compile time that
ARRAY_SIZE() is 5. ARGH!!! GCC is so lazy and horrible. If I did this
in Smatch people would never accept it. Even if ARRAY_SIZE() were
higher than INT_MAX the loop would behave the same regardless of whether
it was signed or not because of type promotion.
The other loop is:
for (i = 0; i < reservenum; i++) {
In this case "reservenum" comes from the command line. In the original
code if it were negative that would be a harmless no-op but now because
i is unsigned it's a crashing bug. Why did GCC not generate a warning
for this? The code was obviously bad before, that's true, but now in a
very measurable way it has become worse.
This example is not really important. I only brought it up because it
is most recent example of people changing "int i;" to "unsigned int i;".
But there have been other cases like this which have had a security
impact.
regards,
dan carpenter
