[PATCH] prio-queue: use size_t rather than int for size

[PATCH] prio-queue: use size_t rather than int for size

[Jeff King]

The alloc and nr fields of a prio-queue tell us how much memory is
allocated and used in the array. So the natural type for them is size_t,
which prevents overflow on 64-bit systems where "int" is still 32 bits.

This is unlikely to happen in practice, as we typically use it for
storing commits, and having 2^31 of those is rather a lot. But it's good
to keep our generic data structures as flexible as possible. And as we
start to enforce -Wsign-compare, it means that callers need to use
"int", too, and the problem proliferates. Let's fix it at the source.

The changes here can be put into a few groups:

  1. Changing the alloc/nr fields in the struct to size_t. This requires
     swapping out int for size_t in negotiator/skipping.c, as well as
     in prio_queue_get(), because those all iterate over the array.
     Building with -Wsign-compare complains about these.

  2. Other code that assigns or passes around indexes into the array
     (e.g., the swap() and compare() functions) won't trigger
     -Wsign-compare because we are simply truncating the values. These
     are caught by -Wconversion, but I've adjusted them here to
     future-proof us.

  3. In prio_queue_reverse() we compute "queue->nr - 1" without checking
     if anything is in the queue, which underflows now that nr is
     unsigned. We can fix that by returning early when the queue is
     empty (there is nothing to reverse).

  4. The insertion_ctr variable is currently unsigned, but can likewise
     grow (it is actually worse, because adding and removing an element
     many times will keep increasing the counter, even though "nr" does
     not). I've bumped that to size_t here, as well.

     But -Wconversion notes that computing the "cmp" result by
     subtracting the counters and assigning to "int" is a potential
     problem. And that's true even before this patch, since we use an
     unsigned counter (imagine comparing "2^32-1" and "0", which should
     be a high positive value, but instead is "-1" as a signed int).

     Since we only care about the sign (and not the magnitude) of the
     result, we could fix this by swapping out the subtraction for a
     ternary comparison. Probably the performance impact would be
     negligible, since we just called into a custom compare function and
     branched on its result anyway. But it's easy enough to do a
     branchless version by subtracting the comparison results.

Signed-off-by: Jeff King <peff@peff.net>
---
Noticed this because the -Wsign-compare topic hit next, which raised a
few warnings with my local branches (but I think prio-queue is in the
wrong here, hence this patch). It did turn out a little more involved
than I had expected, but I think the end result is more future-proof.

 negotiator/skipping.c |  5 ++---
 prio-queue.c          | 15 +++++++++------
 prio-queue.h          |  2 +-
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/negotiator/skipping.c b/negotiator/skipping.c
index abedb70a48..616df6bf3a 100644
--- a/negotiator/skipping.c
+++ b/negotiator/skipping.c
@@ -134,7 +134,6 @@ static int push_parent(struct data *data, struct entry *entry,
 	struct entry *parent_entry;
 
 	if (to_push->object.flags & SEEN) {
-		int i;
 		if (to_push->object.flags & POPPED)
 			/*
 			 * The entry for this commit has already been popped,
@@ -145,7 +144,7 @@ static int push_parent(struct data *data, struct entry *entry,
 		/*
 		 * Find the existing entry and use it.
 		 */
-		for (i = 0; i < data->rev_list.nr; i++) {
+		for (size_t i = 0; i < data->rev_list.nr; i++) {
 			parent_entry = data->rev_list.array[i].data;
 			if (parent_entry->commit == to_push)
 				goto parent_found;
@@ -248,7 +247,7 @@ static int ack(struct fetch_negotiator *n, struct commit *c)
 static void release(struct fetch_negotiator *n)
 {
 	struct data *data = n->data;
-	for (int i = 0; i < data->rev_list.nr; i++)
+	for (size_t i = 0; i < data->rev_list.nr; i++)
 		free(data->rev_list.array[i].data);
 	clear_prio_queue(&data->rev_list);
 	FREE_AND_NULL(data);
diff --git a/prio-queue.c b/prio-queue.c
index 450775a374..d0581dcc5c 100644
--- a/prio-queue.c
+++ b/prio-queue.c
@@ -1,26 +1,29 @@
 #include "git-compat-util.h"
 #include "prio-queue.h"
 
-static inline int compare(struct prio_queue *queue, int i, int j)
+static inline int compare(struct prio_queue *queue, size_t i, size_t j)
 {
 	int cmp = queue->compare(queue->array[i].data, queue->array[j].data,
 				 queue->cb_data);
 	if (!cmp)
-		cmp = queue->array[i].ctr - queue->array[j].ctr;
+		cmp = (queue->array[i].ctr > queue->array[j].ctr) -
+	              (queue->array[i].ctr < queue->array[j].ctr);
 	return cmp;
 }
 
-static inline void swap(struct prio_queue *queue, int i, int j)
+static inline void swap(struct prio_queue *queue, size_t i, size_t j)
 {
 	SWAP(queue->array[i], queue->array[j]);
 }
 
 void prio_queue_reverse(struct prio_queue *queue)
 {
-	int i, j;
+	size_t i, j;
 
 	if (queue->compare)
 		BUG("prio_queue_reverse() on non-LIFO queue");
+	if (!queue->nr)
+		return;
 	for (i = 0; i < (j = (queue->nr - 1) - i); i++)
 		swap(queue, i, j);
 }
@@ -35,7 +38,7 @@ void clear_prio_queue(struct prio_queue *queue)
 
 void prio_queue_put(struct prio_queue *queue, void *thing)
 {
-	int ix, parent;
+	size_t ix, parent;
 
 	/* Append at the end */
 	ALLOC_GROW(queue->array, queue->nr + 1, queue->alloc);
@@ -58,7 +61,7 @@ void prio_queue_put(struct prio_queue *queue, void *thing)
 void *prio_queue_get(struct prio_queue *queue)
 {
 	void *result;
-	int ix, child;
+	size_t ix, child;
 
 	if (!queue->nr)
 		return NULL;
diff --git a/prio-queue.h b/prio-queue.h
index 4f9a37e6be..36f370625f 100644
--- a/prio-queue.h
+++ b/prio-queue.h
@@ -30,7 +30,7 @@ struct prio_queue {
 	prio_queue_compare_fn compare;
 	unsigned insertion_ctr;
 	void *cb_data;
-	int alloc, nr;
+	size_t alloc, nr;
 	struct prio_queue_entry *array;
 };
 
-- 
2.48.0.rc0.406.g65874f98ea

Re: [PATCH] prio-queue: use size_t rather than int for size

[Jeff King]

On Fri, Dec 20, 2024 at 03:49:49AM -0500, Jeff King wrote:

> -static inline int compare(struct prio_queue *queue, int i, int j)
> +static inline int compare(struct prio_queue *queue, size_t i, size_t j)
>  {
>  	int cmp = queue->compare(queue->array[i].data, queue->array[j].data,
>  				 queue->cb_data);
>  	if (!cmp)
> -		cmp = queue->array[i].ctr - queue->array[j].ctr;
> +		cmp = (queue->array[i].ctr > queue->array[j].ctr) -
> +	              (queue->array[i].ctr < queue->array[j].ctr);
>  	return cmp;
>  }

Sorry, just realized that "diff --check" (and apply) complains about the
indentation here. It's a TAB followed by 14 spaces, instead of two TABs
followed by 6 spaces. I guess caused by me lining things up manually.

-Peff

Re: [PATCH] prio-queue: use size_t rather than int for size

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Fri, Dec 20, 2024 at 03:49:49AM -0500, Jeff King wrote:
>
>> -static inline int compare(struct prio_queue *queue, int i, int j)
>> +static inline int compare(struct prio_queue *queue, size_t i, size_t j)
>>  {
>>  	int cmp = queue->compare(queue->array[i].data, queue->array[j].data,
>>  				 queue->cb_data);
>>  	if (!cmp)
>> -		cmp = queue->array[i].ctr - queue->array[j].ctr;
>> +		cmp = (queue->array[i].ctr > queue->array[j].ctr) -
>> +	              (queue->array[i].ctr < queue->array[j].ctr);
>>  	return cmp;
>>  }
>
> Sorry, just realized that "diff --check" (and apply) complains about the
> indentation here. It's a TAB followed by 14 spaces, instead of two TABs
> followed by 6 spaces. I guess caused by me lining things up manually.

"git am --whitespace=fix" with or without "-3" corrects such
glitches just fine, and "git am --whitespace=error" correctly stops
me from applying such a patch.

What is worrysome is "git am -3 --whitespace=warn" does not seem to
catch it (without "-3" it works just fine).  I do not know offhand
if this is a recent regression or not.

Re: [PATCH] prio-queue: use size_t rather than int for size

[Jeff King]

On Fri, Dec 20, 2024 at 07:27:18AM -0800, Junio C Hamano wrote:

> > Sorry, just realized that "diff --check" (and apply) complains about the
> > indentation here. It's a TAB followed by 14 spaces, instead of two TABs
> > followed by 6 spaces. I guess caused by me lining things up manually.
> 
> "git am --whitespace=fix" with or without "-3" corrects such
> glitches just fine, and "git am --whitespace=error" correctly stops
> me from applying such a patch.
> 
> What is worrysome is "git am -3 --whitespace=warn" does not seem to
> catch it (without "-3" it works just fine).  I do not know offhand
> if this is a recent regression or not.

Interesting. I noticed with stock "git am" (I sometimes "reset --hard"
and reapply my own patches because I made tweaks to the commit message
while sending).

Looks like it does not warn even going back to v2.0.5 (my stock "this
was a long time ago" version). Curiously if you accidentally try to
apply the patch a second time, it does notice the problem.

So I agree it's a bug, but I think it has been around for a while.

-Peff

Re: [PATCH] prio-queue: use size_t rather than int for size

[Patrick Steinhardt]

On Fri, Dec 20, 2024 at 03:49:49AM -0500, Jeff King wrote:
[snip]
>   4. The insertion_ctr variable is currently unsigned, but can likewise
>      grow (it is actually worse, because adding and removing an element
>      many times will keep increasing the counter, even though "nr" does
>      not). I've bumped that to size_t here, as well.

I agree that bumping it to `size_t` would be sensible, but it doesn't
look like you actually followed through with that change, as...

> diff --git a/prio-queue.h b/prio-queue.h
> index 4f9a37e6be..36f370625f 100644
> --- a/prio-queue.h
> +++ b/prio-queue.h
> @@ -30,7 +30,7 @@ struct prio_queue {
>  	prio_queue_compare_fn compare;
>  	unsigned insertion_ctr;

... it still says `unsigned` here.

I was surprised by how few callers there are required any changes due to
`.nr` changing. I scanned through the code and found one more instance
where we have to adapt code, in commit-reach.c:queue_has_nonstale(). The
compiler does not generate warnings for this case because the file isn't
-Wsign-compare clean yet.

Anyway, I see that the patch has landed in "master" already. Let me send
a follow-up patch series to fix both issues.

Patrick

Re: [PATCH] prio-queue: use size_t rather than int for size

[Jeff King]

On Fri, Dec 27, 2024 at 11:15:31AM +0100, Patrick Steinhardt wrote:

> On Fri, Dec 20, 2024 at 03:49:49AM -0500, Jeff King wrote:
> [snip]
> >   4. The insertion_ctr variable is currently unsigned, but can likewise
> >      grow (it is actually worse, because adding and removing an element
> >      many times will keep increasing the counter, even though "nr" does
> >      not). I've bumped that to size_t here, as well.
> 
> I agree that bumping it to `size_t` would be sensible, but it doesn't
> look like you actually followed through with that change, as...

Doh, good catch. I had backed it out temporarily to confirm that it was
a problem even before the patch, but accidentally ended up with the
wrong state in the commit.

> I was surprised by how few callers there are required any changes due to
> `.nr` changing. I scanned through the code and found one more instance
> where we have to adapt code, in commit-reach.c:queue_has_nonstale(). The
> compiler does not generate warnings for this case because the file isn't
> -Wsign-compare clean yet.

Makes sense.

> Anyway, I see that the patch has landed in "master" already. Let me send
> a follow-up patch series to fix both issues.

Thanks!

-Peff