Re: [PATCH] powerpc: Avoid clang uninitialized warning in __get_user_size_allowed
From: Nathan Chancellor
Date: Wed Apr 28 2021 - 17:42:04 EST
On Tue, Apr 27, 2021 at 07:05:12AM +0200, Christophe Leroy wrote:
>
>
> Le 26/04/2021 à 22:35, Nathan Chancellor a écrit :
> > Commit 9975f852ce1b ("powerpc/uaccess: Remove calls to __get_user_bad()
> > and __put_user_bad()") switch to BUILD_BUG() in the default case, which
> > leaves x uninitialized. This will not be an issue because the build will
> > be broken in that case but clang does static analysis before it realizes
> > the default case will be done so it warns about x being uninitialized
> > (trimmed for brevity):
> >
> > In file included from mm/mprotect.c:13:
> > In file included from ./include/linux/hugetlb.h:28:
> > In file included from ./include/linux/mempolicy.h:16:
> > ./include/linux/pagemap.h:772:16: warning: variable '__gu_val' is used
> > uninitialized whenever switch default is taken [-Wsometimes-uninitialized]
> > if (unlikely(__get_user(c, uaddr) != 0))
> > ^~~~~~~~~~~~~~~~~~~~
> > ./arch/powerpc/include/asm/uaccess.h:266:2: note: expanded from macro '__get_user'
> > __get_user_size_allowed(__gu_val, __gu_addr, __gu_size, __gu_err); \
> > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ./arch/powerpc/include/asm/uaccess.h:235:2: note: expanded from macro
> > '__get_user_size_allowed'
> > default: BUILD_BUG(); \
> > ^~~~~~~
> >
> > Commit 5cd29b1fd3e8 ("powerpc/uaccess: Use asm goto for get_user when
> > compiler supports it") added an initialization for x because of the same
> > reason. Do the same thing here so there is no warning across all
> > versions of clang.
>
> Ah yes, I tested with Clang 11 which has CONFIG_CC_HAS_ASM_GOTO_OUTPUT,
> that's the reason why I hit that warning only in the
> CONFIG_CC_HAS_ASM_GOTO_OUTPUT branch.
>
> But regardless, is that normal that Clang warns that on a never taken branch ? That's puzzling.
It seems to be related to the fact that the value of sizeof is assigned
to a variable. At this point in the pipeline, clang does not realize
that the default branch is never taken because __gu_size has not
actually been evaluated. If you stuck a numeric constant in there, it
would not fire.
A simple example: https://godbolt.org/z/jbrqEbh1j
It is possible that could be improved in clang but I am not sure.
> >
> > Link: https://github.com/ClangBuiltLinux/linux/issues/1359
> > Signed-off-by: Nathan Chancellor <nathan@xxxxxxxxxx>
>
> Acked-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
Thanks for taking a look!
Cheers,
Nathan
> > ---
> > arch/powerpc/include/asm/uaccess.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
> > index a4e791bcd3fe..a09e4240c5b1 100644
> > --- a/arch/powerpc/include/asm/uaccess.h
> > +++ b/arch/powerpc/include/asm/uaccess.h
> > @@ -232,7 +232,7 @@ do { \
> > case 2: __get_user_asm(x, (u16 __user *)ptr, retval, "lhz"); break; \
> > case 4: __get_user_asm(x, (u32 __user *)ptr, retval, "lwz"); break; \
> > case 8: __get_user_asm2(x, (u64 __user *)ptr, retval); break; \
> > - default: BUILD_BUG(); \
> > + default: x = 0; BUILD_BUG(); \
> > } \
> > } while (0)
> >
> > base-commit: ee6b25fa7c037e42cc5f3b5c024b2a779edab6dd
> >