On Fri, Oct 09, 2020 at 02:18:41PM -0700, Tom Rix wrote:
>
> On 10/9/20 1:18 PM, Paul E. McKenney wrote:
> > On Fri, Oct 09, 2020 at 12:47:36PM -0700, trix@xxxxxxxxxx wrote:
> >> From: Tom Rix <trix@xxxxxxxxxx>
> >>
> >> clang static analysis reports this problem:
> >>
> >> rcutorture.c:1999:2: warning: Called function pointer
> >> is null (null dereference)
> >> cur_ops->sync(); /* Later readers see above write. */
> >> ^~~~~~~~~~~~~~~
> >>
> >> This is a false positive triggered by an earlier, later ignored
> >> NULL check of sync() op. By inspection of the rcu_torture_ops,
> >> the sync() op is never uninitialized. So this earlier check is
> >> not needed.
> > You lost me on this one. This check is at the very beginning of
> > rcu_torture_fwd_prog_nr(). Or are you saying that clang is seeing an
> > earlier check in one of rcu_torture_fwd_prog_nr()'s callers? If so,
> > where exactly is this check?
> >
> > In any case, the check is needed because all three functions are invoked
> > if there is a self-propagating RCU callback that ensures that there is
> > always an RCU grace period outstanding.
> >
> > Ah. Is clang doing local analysis and assuming that because there was
> > a NULL check earlier, then the pointer might be NULL later? That does
> > not seem to me to be a sound check.
> >
> > So please let me know exactly what is causing clang to emit this
> > diagnostic. It might or might not be worth fixing this, but either way
> > I need to understand the situation so as to be able to understand the
> > set of feasible fixes.
> >
> > Thanx, Paul
>
> In rcu_prog_nr() there is check for for sync.
>
> if ( ... cur_op->sync ...
>
> do something
>
> This flags in clang's static analyzer as 'could be null'
>
> later in the function, in a reachable block it is used
>
> cur_ops->sync()
>
> I agree this is not a good check that's why i said is was a false positive.
>
> However when looking closer at how cur_ops is set, it is never uninitialized.
>
> So the check is not needed.
OK, got it, and thank you for the explanation.
> This is not a fix, the code works fine. It is a small optimization.
Well, there really is a bug. Yes, right now all ->sync pointers are
non-NULL, but they have not been in the past and might not be in the
future. So if ->sync is NULL, rcu_torture_fwd_prog_nr() either should
not be called or it should return immediately without doing anything.
My current thought is something like the (untested) patch below, of
course with your Reported-by.
Thoughts?
Thanx, Paul
------------------------------------------------------------------------
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index beba9e7..44749be 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -1989,7 +1989,9 @@ static void rcu_torture_fwd_prog_nr(struct rcu_fwd *rfp,
unsigned long stopat;
static DEFINE_TORTURE_RANDOM(trs);
- if (cur_ops->call && cur_ops->sync && cur_ops->cb_barrier) {
+ if (!cur_ops->sync)
+ return; // Cannot do need_resched() forward progress testing without ->sync.
+ if (cur_ops->call && cur_ops->cb_barrier) {
init_rcu_head_on_stack(&fcs.rh);
selfpropcb = true;
}
@@ -2215,8 +2217,8 @@ static int __init rcu_torture_fwd_prog_init(void)
if (!fwd_progress)
return 0; /* Not requested, so don't do it. */
- if (!cur_ops->stall_dur || cur_ops->stall_dur() <= 0 ||
- cur_ops == &rcu_busted_ops) {
+ if ((!cur_ops->sync && !cur_ops->call) ||
+ !cur_ops->stall_dur || cur_ops->stall_dur() <= 0 || cur_ops == &rcu_busted_ops) {
VERBOSE_TOROUT_STRING("rcu_torture_fwd_prog_init: Disabled, unsupported by RCU flavor under test");
return 0;
}
