[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required

To: <ian.jackson@xxxxxxxxxx>
From: "Jan Beulich" <jbeulich@xxxxxxxx>
Date: Fri, 08 Mar 2019 01:22:07 -0700
Cc: stefanos@xxxxxxxxxx, sstabellini@xxxxxxxxxx, Andrew.Cooper3@xxxxxxxxxx, George.Dunlap@xxxxxxxxxx, julien.grall@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 08 Mar 2019 08:22:21 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> Ian Jackson <ian.jackson@xxxxxxxxxx> 03/07/19 3:44 PM >>>
>Jan Beulich writes ("Re: [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as 
>required"):
>> I'd like to note though that in the first two cases we don't alter the
>> declared object anyway, but instead a derived one; the declaration
>> should not use const for other reasons though. And the 3rd case is
>> fiddling with something that has lost its meaning as an object. In fact
>> we're about to free the underlying memory. In this case I'd prefer to
>> retain the const, but I won't insist as the symbol is non-const right
>> now as well.
>
>I think if you do this
>
>extern const struct blah blah_start[];
>
>it is not safe to cast the const away later.
>
>From C99+TC1+TC2, 6.7.3 5:
>
>5  If an attempt is made to modify an object defned with a
>const-qualifed type through use of an lvalue with
>non-const-qualifed type, the behavior is undefned. ...
>
>Of course `extern const struct blah blah_start[]' is only a
>declaration, not a definition.
>
>But all the declarations/definitions even in different translation
>units must be `compatible' (or UB, 6.2.7 2) and for types to be
>`compatible' they must be identically qualified (6.7.3 9).
>
>So the compiler authors will say that
>
>`extern const struct blah blah_start[]'
>
>implies a definition somewhere of an array 
>
>`extern const struct blah blah_start[ somesize ]
>
>and therefore any accesses `to blah_start' (which in their mind means
>any accesses via a pointer whose provenance is blah_start) via
>non-const lvalues (even for reading!) is UB.

It looks to me as if we were in agreement then. I was talking about freeing
an object that was const-qualified, not modifying it. The scrubbing of the
memory could be considered part of the freeing, it just ought to occur up
front because of otherwise possible races, and because we have no means
to tell the freeing function to do the scrubbing (in fact I should say "we used
to have no means, as I think right now the memory would be scrubbed
implicitly, so the explicit scrubbing could probably be dropped).


Jan




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Ian Jackson

References:
- [Xen-devel] [PATCH v11 0/9] misc safety certification fixes
  - From: Stefano Stabellini
- [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Stefano Stabellini
- Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Stefano Stabellini
- Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH v11 3/9] xen: introduce DECLARE_BOUNDS
Next by Date: Re: [Xen-devel] [PATCH v11 9/9] xen: explicit casts when DECLARE_BOUNDS cannot be used [and 1 more messages]
Previous by thread: Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
Next by thread: Re: [Xen-devel] [PATCH v11 5/9] xen/x86: use DECLARE_BOUNDS as required
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.