current-users: Re: Adding syscall argument checking to lint? [was Re: -current free vnode panic]

Subject: Re: Adding syscall argument checking to lint? [was Re: -current free vnode panic]
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: current-users
Date: 10/04/1995 06:58:22

>>> I _think_ this is a MI problem -
>> It looks like I botched one of the prototyping changes... "oops".
> It may be _why_ it was done; but the fact remains that making those
> changes means there is LESS type information available, not MORE; and
> that makes bugs like this one more likely, not less.

The "but the...not MORE" I disagree with, though the "and that...not
less" would be true, if its antecedent were.

> It may be that my mind has been warped by programming-language
> type-theory classes; but I think it's an incontrovertible statement
> of fact that there's less type-checking going on now than before.

Hardly.  Before, everything was K&R-style C, which implies no type
cross-checking at all (unless some brave soul runs lint on the kernel).
Now, at least the non-polymorphic arguments are type-checked.

The problem, you see, is that what's _really_ passed to those things is
just a pointer to whatever arguments user-land provided.  The code that
calls the implementation code for the syscall in question doesn't know
what the real type of the argument structure is; indeed, if you want to
keep sysent[] as an array instead of an enormous switch statement, it
has to be that way.  And this means that you can't really have
typechecking there, even if you manage to juggle things so it looks as
though you do.

> [maybe teach lint to special-case this]
> A possible syntax (for this particular bug) would be [example] where
> the appropriate test for lint to apply is that the second argument to
> the function after the SYSCALL comment -- in this case, v -- is
> _declared_ as a void* but _used_ as (or assigned to) a pointer to
> whatever-type-it-is that follows the SYSCALL.

But the trouble is, that function is (almost) never called directly,
but rather is called through a pointer fetched from the sysent[] table.
And the relevant structure member has the same type for all syscalls,
so you get no typechecking.  (Except, possibly, for calls directly to
some syscall handler.  I've seen this happen in a couple of places in
the kernel, but it's not done enough to really buy you anything.)

Besides, putting this special a case into lint offends some sense of
programming aesthetics, at least in me. :-)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu