Page MenuHomeFreeBSD

uma: New check_align_mask(): Validate alignments (INVARIANTS)
ClosedPublic

Authored by olce on Oct 17 2023, 2:59 PM.
Tags
None
Referenced Files
F102640974: D42263.diff
Fri, Nov 15, 5:29 AM
Unknown Object (File)
Sun, Nov 10, 9:47 PM
Unknown Object (File)
Sun, Nov 10, 8:04 PM
Unknown Object (File)
Sun, Nov 10, 3:09 PM
Unknown Object (File)
Fri, Nov 8, 12:30 AM
Unknown Object (File)
Sat, Oct 19, 7:39 PM
Unknown Object (File)
Sat, Oct 19, 7:39 PM
Unknown Object (File)
Sat, Oct 19, 7:38 PM
Subscribers

Details

Summary

New function check_align_mask() asserts (under INVARIANTS) that the mask
fits in a (signed) integer (see the comment) and that the corresponding
alignment is a power of two.

Use check_align_mask() in uma_set_align_mask() and also in uma_zcreate()
to replace the KASSERT() there (that was checking only for a power of
2).

MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 54094
Build 50984: arc lint + arc unit

Event Timeline

olce requested review of this revision.Oct 17 2023, 2:59 PM
sys/vm/uma_core.c
334

I think the prototype isn't needed?

3257

Why not write these as KASSERT()s?

__predict_false isn't needed here, the compiler knows that panic() doesn't return.

sys/vm/uma_core.c
334

Indeed. Happy to remove it.

3257

I would prefer these checks to always be performed (even not under INVARIANTS) because I assume that an invalid value will really mess with UMA's internals, but I can change if you think it's not worth it.

__predict_false() just indicates that the branch is unlikely to be taken, which is in principle independent from whether the branch basic block never exits (think, e.g., exit1()). That said, not finishing a basic block usually happens in error branches. Are you saying that compilers automatically "optimize" based on that? It would be a bit surprising.

sys/vm/uma_core.c
3257

I assume that an invalid value will really mess with UMA's internals

That's true of many of the KASSERTs in UMA, and in the kernel at large. Most of the explicit panic() calls in UMA are from debug code, so my inclination is to follow the precedent.

olce marked 3 inline comments as done.
olce retitled this revision from uma: New check_align_mask(); Panic on improper alignments to uma: New check_align_mask(): Validate alignments (INVARIANTS).
olce edited the summary of this revision. (Show Details)

Cater to comments.

sys/vm/uma_core.c
3257

Done.

sys/vm/uma_core.c
3265–3276

or even mask < UINT_MAX / 2 (whatever right spelling for UINT_MAX is)

olce marked an inline comment as done.
olce edited the summary of this revision. (Show Details)

Change the mask too big check.

sys/vm/uma_core.c
3265–3276

Or even better given the comment: mask <= INT_MAX.

kib added inline comments.
sys/vm/uma_core.c
3295

Did you checked that e.g. gcc does not warn about implicit signedness cast?

This revision is now accepted and ready to land.Oct 19 2023, 9:43 PM
sys/vm/uma_core.c
3295

No, not yet. For base clang, I just assumed that -Werror is set. I've just looked up how to build the kernel with GCC. Compiling the required port right now.

olce marked an inline comment as done.Oct 20 2023, 2:01 PM
olce added inline comments.
sys/vm/uma_core.c
3295

No warnings/errors from GCC.