[PATCH v2] git-compat-util.h: implement a different ARRAY_SIZE macro for for safely deriving the size of array

[PATCH v2] git-compat-util.h: implement a different ARRAY_SIZE macro for for safely deriving the size of array

[Elia Pinto]

To get number of elements in an array git use the ARRAY_SIZE macro defined as:

       #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))

The problem with it is a possibility of mistakenly passing to it a
pointer instead an array. The ARRAY_SIZE macro as conventionally
defined does not provide good type-safety and the open-coded approach
is more fragile, more verbose and provides no improvement in type-safety.

Use instead a different but compatible ARRAY_SIZE() macro,
which will also break compile if you try to
use it on a pointer. This implemention revert to the original code if
the compiler doesn't know the typeof and __builtin_types_compatible_p
GCC extensions.

This can ensure our code is robust to changes, without
needing a gratuitous macro or constant. A similar
ARRAY_SIZE implementation also exists in the linux kernel.

Credits to Rusty Russell and his ccan library.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
 Makefile          |  7 +++++++
 configure.ac      | 24 ++++++++++++++++++++++++
 git-compat-util.h | 36 +++++++++++++++++++++++++++++++++++-
 3 files changed, 66 insertions(+), 1 deletion(-)

This is the second version of this patch. 
It had not been discussed before. In the second version, I just tried to clarify 
the comment in the commit. I resend it just in case you missed

diff --git a/Makefile b/Makefile
index 5f3987f..cb2a044 100644
--- a/Makefile
+++ b/Makefile
@@ -359,6 +359,9 @@ all::
 # compiler is detected to support it.
 #
 # Define HAVE_BSD_SYSCTL if your platform has a BSD-compatible sysctl function.
+#
+# Define SUPPORT__BUILTIN_TYPES_COMPATIBLE_P if your compiler support
+# the builtin function __builtin_types_compatible_
 
 GIT-VERSION-FILE: FORCE
 	@$(SHELL_PATH) ./GIT-VERSION-GEN
@@ -1437,6 +1440,10 @@ ifdef HAVE_BSD_SYSCTL
 	BASIC_CFLAGS += -DHAVE_BSD_SYSCTL
 endif
 
+ifdef SUPPORT__BUILTIN_TYPES_COMPATIBLE_P
+	BASIC_CFLAGS += -DSUPPORT__BUILTIN_TYPES_COMPATIBLE_P
+endif
+
 ifeq ($(TCLTK_PATH),)
 NO_TCLTK = NoThanks
 endif
diff --git a/configure.ac b/configure.ac
index bbdde85..151864d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -139,6 +139,28 @@ if test -n "$1"; then
 fi
 ])
 
+AC_DEFUN([GIT_FUNC_TYPES_COMPATIBLE_P], [
+	AC_CACHE_CHECK([if compiler has __builtin_types_compatible_p function],
+		[cc_cv_func_types_compatible_p],
+		[ac_save_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS -Werror"
+		AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+			[int some_function();
+			int some_function() {
+			return __builtin_types_compatible_p(char *, int) ? 1 : 0;
+			}])],
+			[cc_cv_func_types_compatible_p=yes],
+			[cc_cv_func_types_compatible_p=no])
+		CFLAGS="$ac_save_CFLAGS"
+	])
+
+	AS_IF([test "x$cc_cv_func_types_compatible_p" = "xyes"],
+		[GIT_CONF_SUBST([SUPPORT__BUILTIN_TYPES_COMPATIBLE_P], [YesPlease])],
+		[$2])
+])
+
+
+
 ## Configure body starts here.
 
 AC_PREREQ(2.59)
@@ -910,6 +932,8 @@ else
 fi
 GIT_CONF_SUBST([NEEDS_MODE_TRANSLATION])
 
+GIT_FUNC_TYPES_COMPATIBLE_P
+
 
 ## Checks for library functions.
 ## (in default C library and libraries checked by AC_CHECK_LIB)
diff --git a/git-compat-util.h b/git-compat-util.h
index bc8fc8c..8e9f6c2 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -25,7 +25,41 @@
 #endif
 #endif
 
-#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))
+
+/*
+ * BUILD_ASSERT_OR_ZERO - assert a build-time dependency, as an expression.
+ * @cond: the compile-time condition which must be true.
+ *
+ * Your compile will fail if the condition isn't true, or can't be evaluated
+ * by the compiler.  This can be used in an expression: its value is "0".
+ *
+ * Example:
+ *	#define foo_to_char(foo)					\
+ *		 ((char *)(foo)						\
+ *		  + BUILD_ASSERT_OR_ZERO(offsetof(struct foo, string) == 0))
+ */
+#define BUILD_ASSERT_OR_ZERO(cond) \
+	(sizeof(char [1 - 2*!(cond)]) - 1)
+
+
+#if SUPPORT__BUILTIN_TYPES_COMPATIBLE_P
+/* &arr[0] degrades to a pointer: a different type from an array */
+#define _array_size_chk(arr)						\
+	BUILD_ASSERT_OR_ZERO(!__builtin_types_compatible_p(typeof(arr), \
+							typeof(&(arr)[0])))
+#else
+#define _array_size_chk(arr) 0
+#endif
+
+/*
+ * ARRAY_SIZE - get the number of elements in a visible array
+ *  <at> x: the array whose size you want.
+ *
+ * This does not work on pointers, or arrays declared as [], or
+ * function parameters.  With correct compiler support, such usage
+ * will cause a build error (see build_assert).
+ */
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]) + _array_size_chk(x))
 #define bitsizeof(x)  (CHAR_BIT * sizeof(x))
 
 #define maximum_signed_value_of_type(a) \
-- 
2.1.0

Re: [PATCH v2] git-compat-util.h: implement a different ARRAY_SIZE macro for for safely deriving the size of array

[Junio C Hamano]

Elia Pinto <gitter.spiros@gmail.com> writes:

> This is the second version of this patch.  It had not been
> discussed before. In the second version, I just tried to clarify
> the comment in the commit. I resend it just in case you missed

I do not recall seeing it before.  No discussion usually means no
interest, so I'll see what happens this time on the list for a few
days before picking it up.

> +#if SUPPORT__BUILTIN_TYPES_COMPATIBLE_P
> +/* &arr[0] degrades to a pointer: a different type from an array */
> +#define _array_size_chk(arr)						\
> +	BUILD_ASSERT_OR_ZERO(!__builtin_types_compatible_p(typeof(arr), \
> +							typeof(&(arr)[0])))
> +#else
> +#define _array_size_chk(arr) 0
> +#endif

Wouldn't there be a more sensible name?  _chk does not tell us
anything about what is being checked, and the only thing this name
gives us is "what uses it" (i.e. it is some magic used by array-size
and does not say what it checks and what for).

I think you are checking arr is an array and not a pointer.  Perhaps
"#define is_an_array(arr)" or something along that line may be a
more descriptive name for it.

I doubt the leading underscore is particularly a good idea, though.

> +/*
> + * ARRAY_SIZE - get the number of elements in a visible array
> + *  <at> x: the array whose size you want.
> + *
> + * This does not work on pointers, or arrays declared as [], or
> + * function parameters.  With correct compiler support, such usage
> + * will cause a build error (see build_assert).
> + */
> +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]) + _array_size_chk(x))
>  #define bitsizeof(x)  (CHAR_BIT * sizeof(x))
>  
>  #define maximum_signed_value_of_type(a) \

Re: [PATCH v2] git-compat-util.h: implement a different ARRAY_SIZE macro for for safely deriving the size of array

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

>> +#if SUPPORT__BUILTIN_TYPES_COMPATIBLE_P
>> +/* &arr[0] degrades to a pointer: a different type from an array */
>> +#define _array_size_chk(arr)						\
>> +	BUILD_ASSERT_OR_ZERO(!__builtin_types_compatible_p(typeof(arr), \
>> +							typeof(&(arr)[0])))
>> +#else
>> +#define _array_size_chk(arr) 0
>> +#endif
>
> Wouldn't there be a more sensible name?  _chk does not tell us
> anything about what is being checked, and the only thing this name
> gives us is "what uses it" (i.e. it is some magic used by array-size
> and does not say what it checks and what for).
>
> I think you are checking arr is an array and not a pointer.  Perhaps
> "#define is_an_array(arr)" or something along that line may be a
> more descriptive name for it.
>
> I doubt the leading underscore is particularly a good idea, though.

And "is_an_array(arr)" is probably not quite a good name, as that
sounds as if it would give 1 and adding it to sizeof(x)/sizeof(x[0])
does not make sense.  barf_if_not_an_array() is what the macro does.

Re: [PATCH v2] git-compat-util.h: implement a different ARRAY_SIZE macro for for safely deriving the size of array

[Jeff King]

On Mon, Apr 27, 2015 at 10:56:30AM -0700, Junio C Hamano wrote:

> Elia Pinto <gitter.spiros@gmail.com> writes:
> 
> > This is the second version of this patch.  It had not been
> > discussed before. In the second version, I just tried to clarify
> > the comment in the commit. I resend it just in case you missed
> 
> I do not recall seeing it before.  No discussion usually means no
> interest, so I'll see what happens this time on the list for a few
> days before picking it up.

I'm in favor of any method for improving compile-time bug-checking,
provided that:

  1. It does not carry a maintenance cost that spreads throughout the
     code base (e.g., here the cost is localized to making ARRAY_SIZE a
     bit more complex, but callers do not have to care about the extra
     checking).

  2. It gracefully degrades when using older compilers (i.e., we can
     fall back to the existing ARRAY_SIZE definition when the magic
     builtin is not available).

I think this is OK for both points. It would be nice if we could
auto-detect the presence of the builtin without using autoconf. I think
most git developers do not use autoconf at all, and the feature does not
help much if nobody turns it on. Is there a __GNUC__ or similar
feature-test macro we could use for this?

> > +#define _array_size_chk(arr) 0
> > +#endif
> 
> Wouldn't there be a more sensible name?  _chk does not tell us
> anything about what is being checked, and the only thing this name
> gives us is "what uses it" (i.e. it is some magic used by array-size
> and does not say what it checks and what for).
> 
> I think you are checking arr is an array and not a pointer.  Perhaps
> "#define is_an_array(arr)" or something along that line may be a
> more descriptive name for it.
> 
> I doubt the leading underscore is particularly a good idea, though.

Agreed on the naming (modulo the "not" from your follow-on email). Also,
should it be in ALL_CAPS like the other added macros? We are slightly
inconsistent about that in our code-base.

-Peff