Re: Git compile warnings (under mac/clang)

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeff King <peff@peff.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: Johannes Schindelin <johannes.schindelin@gmx.de>,
	Stefan Beller <sbeller@google.com>,
	Michael Blume <blume.mike@gmail.com>,
	peter@lekensteyn.nl, eungjun.yi@navercorp.com,
	Git List <git@vger.kernel.org>
Subject: Re: Git compile warnings (under mac/clang)
Date: Fri, 23 Jan 2015 13:37:37 -0500	[thread overview]
Message-ID: <20150123183737.GA32191@peff.net> (raw)
In-Reply-To: <xmqqwq4dqskp.fsf@gitster.dls.corp.google.com>

On Fri, Jan 23, 2015 at 10:07:18AM -0800, Junio C Hamano wrote:

> >> diff --git a/fsck.c b/fsck.c
> >> index 15cb8bd..8f8c82f 100644
> >> --- a/fsck.c
> >> +++ b/fsck.c
> >> @@ -107,7 +107,7 @@ static int fsck_msg_severity(enum fsck_msg_id msg_id,
> >>  {
> >>  	int severity;
> >>  
> >> -	if (options->msg_severity && msg_id >= 0 && msg_id < FSCK_MSG_MAX)
> >> +	if (options->msg_severity && ((unsigned int) msg_id) < FSCK_MSG_MAX)
> >>  		severity = options->msg_severity[msg_id];
> >>  	else {
> >>  		severity = msg_id_info[msg_id].severity;
> >> -- snap --
> >> 
> >> What do you think? Michael, does this cause more Clang warnings,
> >> or would it resolve the issue?
> >
> > Hmm, yeah, that does not seem unreasonable, and is more localized.
> 
> Or we could force enum to be signed by defining FSCK_MSG_UNUSED to
> be -1 at the very beginning of enum definition, without changing
> anything else.  Then "msg_id < 0" would become a very valid
> protection against programming mistakes, no?

Yeah, I think that would work, too. It is a little unfortunate in the
sense that it actually makes things _worse_ from the perspective of the
type system. That is, in the current code if you assume that everyone
else has followed the type rules, then an fsck_msg_id you get definitely
is indexable into various arrays. But if you add in a sentinel value,
now you (in theory) have to check for the sentinel value everywhere.

I'm not sure if that matters in practice, though, if you are going to be
defensive against people misusing the enum system in the first place
(e.g., you are worried about them passing a random int and having it
produce a segfault, you have to do range checks either way).

But of all the options outlined, I think I'd much rather just see an
assert() for something that should never happen, rather than mixing it
into the logic.

In that vein, one thing that puzzles me is that the current code looks
like:

  if (options->msg_severity && msg_id >= 0 && msg_id < FSCK_MSG_MAX)
	  severity = options->msg_severity[msg_id];
  else {
	  severity = msg_id_info[msg_id].severity;
	  ...
  }

So if the severity override list given by "options" exists, _and_ if we
are in the enum range, then we use that. Otherwise, we dereference the
global list. But wouldn't an out-of-range condition have the exact same
problem dereferencing that global list?

IOW, should this really be:

  if (msg_id < 0 || msg_id >= FSCK_MSG_MAX)
	die("BUG: broken enum");

  if (options->msg_severity)
	severity = options->msg_severity[msg_id];
  else
	severity = msg_id_info[msg_id].severity;

? And then you can spell that first part as assert(), which I suspect
(but did not test) may shut up clang's warnings.

-Peff

next prev parent reply	other threads:[~2015-01-23 18:40 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-22 19:43 Git compile warnings (under mac/clang) Michael Blume
2015-01-22 19:59 ` Stefan Beller
2015-01-22 21:19   ` Peter Wu
2015-01-22 21:20   ` Johannes Schindelin
2015-01-22 22:01     ` Jeff King
2015-01-23 11:48       ` Johannes Schindelin
2015-01-23 12:23         ` Jeff King
2015-01-23 12:38           ` Johannes Schindelin
2015-01-23 13:30             ` Jeff King
2015-01-23 18:07               ` Junio C Hamano
2015-01-23 18:37                 ` Jeff King [this message]
2015-01-23 18:46                   ` Johannes Schindelin
2015-01-23 18:55                     ` Jeff King
2015-01-23 19:20                       ` Johannes Schindelin
2015-01-23 18:48                   ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150123183737.GA32191@peff.net \
    --to=peff@peff.net \
    --cc=blume.mike@gmail.com \
    --cc=eungjun.yi@navercorp.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=johannes.schindelin@gmx.de \
    --cc=peter@lekensteyn.nl \
    --cc=sbeller@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).