Capability to integer casts on CheriBSD

Julien ÉLIE julien at trigofacile.com
Mon Oct 30 21:10:27 UTC 2023 

Hi Richard,

> The idea of the code in question seems to be to convert region expressed 
> by a pointer and length into the slightly wider region containing it 
> consisting of whole pages.

Yes, indeed.
And your proposal even optimizes the initial code which always takes an 
extra pagesize.


> An alternative approach that does not synthesize any pointers (but still 
> relies on a pointer-to-integer conversion):
> 
>    size_t page_mask = pagesize - 1;
> 
>    // Offset of p from start of first page
>    size_t start_offset = (size_t)p & page_mask;
> 
>    // Start of first page
>    char *start = p - start_offset;
> 
>    // Offset of (p+length) from start of last page, or 0
>    // if (p+length) is exactly on a page boundary
>    size_t end_offset = (start_offset + length) & page_mask;
> 
>    // Offset _backwards_ of (p+length) from end of last page
>    if(end_offset > 0)
>      end_offset = page_mask - end_offset;

I see the idea, thanks.
As for pointer-to-integer conversion, maybe casting to (uintptr_t) could 
be of help?  I've googled a bit and found out that it is in the C99 
standard.
Maybe we could check for its being available via Autoconf 
(AC_TYPE_UINTPTR_T macro) and use (uintptr_t) instead of (size_t) if 
that's the case?


>    // Total length of pages
>    size_t total_length = start_offset + length + end_offset;

I'm unsure total_length always has the right value.  If end_offset is 0, 
total_length should be pagesize I think.  I'll have a look at how to 
compute the expected length (multiple of pagesize).


>> icd.c:490:16: error: cast from capability type 'char *' to 
>> non-capability, non-address type 'unsigned long' is most likely an 
>> error [-Werror,-Wcapability-to-integer-cast]
>>          syslog(L_FATAL, "%s msync failed %s 0x%lx %d %m", LogName, 
>> ICDactpath,
>>                 (unsigned long) ICDactpointer, ICDactsize);
>>                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> That one should be %p. It would already be broken on a platform with 
> 32-bit long but 64-bit (or longer) pointers.

Agreed, I'll fix that, thanks.

-- 
Julien ÉLIE

« Vita breuis, ars longa, occasio praeceps, experimentum pericolosum,
   iudicium difficile. » (Hippocrate)

More information about the inn-workers mailing list