Re: [PATCH] x86/syscalls: Mark expected switch fall-throughs

[Kees Cook]

On Tue, Nov 28, 2017 at 12:08 PM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
> On Tue, 28 Nov 2017, Linus Torvalds wrote:
>
>> On Tue, Nov 28, 2017 at 11:00 AM, Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
>> >
>> > The notation in question has been standard in tools like lint since the
>> > end of the 1970s
>>
>> Yes.
>>
>> That said, maybe one option would be to annotate the "case:" and
>> "default:" statements if that makes people happier.
>>
>> IOW, we could do something like
>>
>>     #define fallthrough __atttibute__((fallthrough))
>>
>> and then write
>>
>>     fallthrough case 1:
>>         ...
>>
>> which while absolutely not traditional, might look and read a bit more
>> logical to people. I mean, it literally _is_ a "fallthrough case", so
>> it makes semantic sense.
>>
>> Or maybe people hate that kind of "making up new syntax" too?
>
> Fine with me. Better than any comment.

One of the strong reasons to do this with comments is because it lets
us leverage existing static analyzers. The long-standard method of
marking fall-through has been with comments, and that's what the
kernel should be (and has been) doing. If we invent another method,
we'll be shooting ourselves in the foot by making it harder to spot
these cases using existing tools. Fall-through is uncommon, and it's
not a big price to carry these comments when the gain is so clear.

The most "ugly" cases of these are when the switch statement is
_entirely_ fall-through (usually for bit-width processing of some
kind), but again, they're rare in the grand scheme of things.

-Kees

-- 
Kees Cook
Pixel Security