[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen: Don't cast away const-ness in vcpu_show_registers()


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 7 Mar 2025 07:59:00 +0100
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 07 Mar 2025 06:59:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.03.2025 00:17, Andrew Cooper wrote:
> On 05/03/2025 7:53 am, Jan Beulich wrote:
>> On 03.03.2025 17:52, Andrew Cooper wrote:
>>> On 26/02/2025 7:33 am, Jan Beulich wrote:
>>>> On 26.02.2025 00:02, Andrew Cooper wrote:
>>>>> The final hunk is `(struct vcpu *)v` in disguise, expressed using a 
>>>>> runtime
>>>>> pointer chase through memory and a technicality of the C type system to 
>>>>> work
>>>>> around the fact that get_hvm_registers() strictly requires a mutable 
>>>>> pointer.
>>>>>
>>>>> For anyone interested, this is one reason why C cannot optimise any reads
>>>>> across sequence points, even for a function purporting to take a const 
>>>>> object.
>>>>>
>>>>> Anyway, have the function correctly state that it needs a mutable vcpu.  
>>>>> All
>>>>> callers have a mutable vCPU to hand, and it removes the runtime pointer 
>>>>> chase
>>>>> in x86.
>>>>>
>>>>> Make one style adjustment in ARM while adjusting the parameter type.
>>>>>
>>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>>> ---
>>>>> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
>>>>> CC: Michal Orzel <michal.orzel@xxxxxxx>
>>>>> CC: Jan Beulich <jbeulich@xxxxxxxx>
>>>>> CC: Julien Grall <julien@xxxxxxx>
>>>>> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>>>>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
>>>>> CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
>>>>> CC: Bertrand Marquis <bertrand.marquis@xxxxxxx>
>>>>>
>>>>> RISC-V and PPC don't have this helper yet, not even in stub form.
>>>>>
>>>>> I expect there will be one objection to this patch.  Since the last time 
>>>>> we
>>>>> fought over this, speculative vulnerabilities have demonstrated how 
>>>>> dangerous
>>>>> pointer chases are, and this is a violation of Misra Rule 11.8, even if 
>>>>> it's
>>>>> not reasonable for Eclair to be able to spot and reject it.
>>>> On these grounds
>>>> Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
>>> Thanks.
>>>
>>>> irrespective of the fact that a function of this name and purpose really, 
>>>> really
>>>> should be taking a pointer-to-const.
>>> No - this is a perfect example of why most functions should *not* take
>>> pointer-to-const for complex objects.
>>>
>>> There is no such thing as an actually-const vcpu or domain; they are all
>>> mutable.  The reason why x86 needs a strictly-mutable pointer is because
>>> it needs to take a spinlock to negotiate for access to a hardware
>>> resource to read some of the registers it needs.
>>>
>>> This is where there is a semantic gap between "logically doesn't modify"
>>> and what the C keyword means.
>> And hence (in part) why C++ gained "mutable" ages ago.
> 
> Sure.  If we were writing in C++, then an internal splinlock being
> mutable would be a fine thing.
> 
> But we're writing in a language where there is no such concept.
>>> Anything except the-most-trivial trivial predates may reasonably need to
>>> take a spinlock or some other safety primitive, even just to read
>>> information.
>>>
>>>
>>> Because this was gratuitously const in the first place, bad code was put
>>> in place of making the prototype match reality.
>>>
>>> This demonstrates a bigger failing in how code is reviewed and
>>> maintained.  It is far too frequent that requests to const things don't
>>> even compile.  It is also far too frequent that requests to const things
>>> haven't read the full patch series to realise why not.  Both of these
>>> are a source of friction during review.
>>>
>>> But more than that, even if something could technically be const right
>>> now, the request to do so forces churn into a future patch to de-const
>>> it in order to make a clean change.  And for contributors who aren't
>>> comfortable saying a firm no to a maintainer, this turns into a bad hack
>>> instead.
>>>
>>> i.e. requests to const accessors for complexity objects are making Xen
>>> worse, not better, and we should stop doing it.
>> Okay, let's agree that we don't agree in our perspectives here.
> 
> I'm not saying this to be mean.  If C could do something like C++'s
> mutable, then this wouldn't be an issue.
> 
> But, I have lost count of the number of times I have had to reject
> requests of yours to const a pointer, on the basis that it can't
> compile.  Your review feedback cost one of my team-members a week trying
> to fulfil a const request before asking me for help, and it was another
> impossible example.
> 
> Of all feedback given by reviewers (it's not only you), requests to
> const are the ones that are most often wrong in my experience.

I am entirely certain you're wrong here, unless maybe you mean solely
comments on patches of yours. There are far too many places where we're
still lacking const, and people are copying such instances far too
blindly.

>  Probably
> only ~50% of requests are correct, yet it takes a very seasoned
> developer to come back and say "no, that doesn't compile", because
> that's really a "I think you're wrong" needing knowledge in a subtle
> part of the language.
> 
> My request is to all reviewers.  Please take far more care before asking
> for const.  There are absolutely cases where it's right, but a false
> request is more problematic than it appears at the surface.

I am attempting to be quite careful with such requests, but as for any
review comment mistakes / oversights happen. Furthermore relatively
often I put such comments as questions, in the hope to indicates this
way that the change request depends on the result actually building
fine. In fact things not building doesn't necessarily mean the comment
was outright wrong - it often means code elsewhere isn't properly
constified.

My request to all submitters: Constify your patches properly up front.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.