From: Thomas Haller <thaller@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: NetFilter <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nft 5/8] src: rework SNPRINTF_BUFFER_SIZE() and avoid "-Wunused-but-set-variable"
Date: Mon, 28 Aug 2023 17:49:53 +0200 [thread overview]
Message-ID: <aa481d83b0320078a17bebf215378992a4f7cb21.camel@redhat.com> (raw)
In-Reply-To: <ZOy5nTEQJvu7zdrx@calendula>
On Mon, 2023-08-28 at 17:13 +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 28, 2023 at 04:43:55PM +0200, Thomas Haller wrote:
> > SNPRINTF_BUFFER_SIZE() causes a warning with clang.
> >
> > evaluate.c:4134:9: error: variable 'size' set but not used [-
> > Werror,-Wunused-but-set-variable]
> > size_t size = 0;
> > ^
> >
> > meta.c:1006:9: error: variable 'size' set but not used [-
> > Werror,-Wunused-but-set-variable]
> > size_t size;
> > ^
> >
> > Fix that, and rework SNPRINTF_BUFFER_SIZE().
> >
> > - before and now, the macro asserts against truncation. Remove
> > error
> > handling related to truncation in the callers.
> >
> > - wrap the macro in "do { ... } while(0)" to make it more
> > function-like.
> >
> > - evaluate macro arguments exactly once, to make it more function-
> > like.
> >
> > - take pointers to the arguments that are being modified.
> >
> > - use assert() instead of abort().
> >
> > - use size_t type for arguments related to the buffer size.
> >
> > - drop "size". It was unused, and, unless the string was truncated,
> > it was identical to "offset".
> >
> > - "offset" previously was incremented before checking for
> > truncation.
> > So it would point somewhere past the buffer. This behavior is not
> > useful, because we assert against truncation. Now, in case of
> > truncation, "len" will be zero and "offset" will be the original
> > "len"
> > (that is, point after the buffer and one byte after the
> > terminating NUL).
> >
> > Signed-off-by: Thomas Haller <thaller@redhat.com>
> > ---
> > include/utils.h | 32 +++++++++++++++++++++++---------
> > src/evaluate.c | 11 +++++------
> > src/meta.c | 10 +++++-----
> > 3 files changed, 33 insertions(+), 20 deletions(-)
> >
> > diff --git a/include/utils.h b/include/utils.h
> > index cee1e5c1e8ae..873147fb54ec 100644
> > --- a/include/utils.h
> > +++ b/include/utils.h
> > @@ -72,15 +72,29 @@
> > #define max(_x, _y) ({ \
> > _x > _y ? _x : _y; })
> >
> > -#define SNPRINTF_BUFFER_SIZE(ret, size, len, offset) \
> > - if (ret < 0) \
> > - abort(); \
> > - offset += ret; \
> > - assert(ret < len); \
> > - if (ret > len) \
> > - ret = len; \
> > - size += ret; \
> > - len -= ret;
> > +#define SNPRINTF_BUFFER_SIZE(ret, len, offset) \
> > + do { \
> > + const int _ret = (ret); \
> > + size_t *const _len = (len); \
> > + size_t *const _offset = (offset); \
> > + size_t _ret2; \
> > + \
> > + assert(_ret >= 0); \
> > + \
> > + if ((size_t) _ret >= *_len) { \
> > + /* Fail an assertion on truncation.
> > + *
> > + * Anyway, we would set "len" to zero and
> > "offset" one
> > + * after the buffer size (past the
> > terminating NUL
> > + * byte). */ \
> > + assert((size_t) _ret < *_len); \
> > + _ret2 = *_len; \
> > + } else \
> > + _ret2 = (size_t) _ret; \
> > + \
> > + *_offset += _ret2; \
> > + *_len -= _ret2; \
> > + } while (0)
>
> This macro is something I made myself, which I am particularly not
> proud of it, but it getting slightly more complicated.
IMO it just got simpler. E.g. it is now function-like; you can easier
see which arguments are modified (we take a pointer to them); one
argument got dropped.
The remaining relevant parts (assertions and truncation check aside) is
literally
offset += ret;
len -= ret;
>
> Probably it time to turn this into a real function?
as it now behaves function-like, it can be easily converted to an
inline function. Only difference is that upon assertion failure, we no
longer see the location of the caller. It does not seem an improvement.
>
> > #define MSEC_PER_SEC 1000L
> >
> > diff --git a/src/evaluate.c b/src/evaluate.c
> > index 1ae2ef0de10c..f8cd7b7afda3 100644
> > --- a/src/evaluate.c
> > +++ b/src/evaluate.c
> > @@ -4129,14 +4129,16 @@ static int stmt_evaluate_queue(struct
> > eval_ctx *ctx, struct stmt *stmt)
> > static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct
> > stmt *stmt)
> > {
> > char prefix[NF_LOG_PREFIXLEN] = {}, tmp[NF_LOG_PREFIXLEN] =
> > {};
> > - int len = sizeof(prefix), offset = 0, ret;
> > + size_t len = sizeof(prefix);
> > + size_t offset = 0;
> > struct expr *expr;
> > - size_t size = 0;
> >
> > if (stmt->log.prefix->etype != EXPR_LIST)
> > return 0;
> >
> > list_for_each_entry(expr, &stmt->log.prefix->expressions,
> > list) {
> > + int ret;
> > +
> > switch (expr->etype) {
> > case EXPR_VALUE:
> > expr_to_string(expr, tmp);
> > @@ -4150,12 +4152,9 @@ static int stmt_evaluate_log_prefix(struct
> > eval_ctx *ctx, struct stmt *stmt)
> > BUG("unknown expression type %s\n",
> > expr_name(expr));
> > break;
> > }
> > - SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
> > + SNPRINTF_BUFFER_SIZE(ret, &len, &offset);
> > }
> >
> > - if (len == NF_LOG_PREFIXLEN)
> > - return stmt_error(ctx, stmt, "log prefix is too
> > long");
>
> No error anymore?
>
> Not directly related, but are you sure tests we have are sufficient
> to
> cover for all these updates
No. I am not aware of test coverage.
SNPRINTF_BUFFER_SIZE() rejects truncation of the string by asserting
against it. That behavior is part of the API of that function. Error
checking after an assert seems unnecessary.
The check "if (len == NF_LOG_PREFIXLEN)" seems wrong anyway. After
truncation, "len" would be zero. The code previously checked whether
nothing was appended, but the error string didn't match that situation.
Maybe SNPRINTF_BUFFER_SIZE() should not assert against truncation?
Thomas
next prev parent reply other threads:[~2023-08-28 15:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 14:43 [PATCH nft 0/8] fix compiler warnings with clang Thomas Haller
2023-08-28 14:43 ` [PATCH nft 1/8] netlink: avoid "-Wenum-conversion" warning in dtype_map_from_kernel() Thomas Haller
2023-08-28 14:43 ` [PATCH nft 2/8] netlink: avoid "-Wenum-conversion" warning in parser_bison.y Thomas Haller
2023-08-28 14:43 ` [PATCH nft 3/8] src: use "%zx" format instead of "%Zx" Thomas Haller
2023-08-28 14:43 ` [PATCH nft 4/8] datatype: avoid cast-align warning with struct sockaddr result from getaddrinfo() Thomas Haller
2023-08-28 14:43 ` [PATCH nft 5/8] src: rework SNPRINTF_BUFFER_SIZE() and avoid "-Wunused-but-set-variable" Thomas Haller
2023-08-28 15:13 ` Pablo Neira Ayuso
2023-08-28 15:49 ` Thomas Haller [this message]
2023-08-28 16:04 ` Pablo Neira Ayuso
2023-08-28 16:45 ` Thomas Haller
2023-08-28 19:53 ` Pablo Neira Ayuso
2023-08-29 13:01 ` Thomas Haller
2023-08-28 14:43 ` [PATCH nft 6/8] src: suppress "-Wunused-but-set-variable" warning with "parser_bison.c" Thomas Haller
2023-08-28 14:43 ` [PATCH nft 7/8] utils: add _NFT_PRAGMA_WARNING_DISABLE()/_NFT_PRAGMA_WARNING_REENABLE helpers Thomas Haller
2023-08-28 14:43 ` [PATCH nft 8/8] datatype: suppress "-Wformat-nonliteral" warning in integer_type_print() Thomas Haller
2023-08-28 15:08 ` Pablo Neira Ayuso
2023-08-28 15:33 ` Thomas Haller
2023-08-28 15:54 ` Pablo Neira Ayuso
2023-08-28 16:24 ` Thomas Haller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa481d83b0320078a17bebf215378992a4f7cb21.camel@redhat.com \
--to=thaller@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).