From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-rust@nongnu.org
Subject: Re: [PATCH 05/12] util/error: allow non-NUL-terminated err->src
Date: Tue, 27 May 2025 16:34:11 +0200 [thread overview]
Message-ID: <feb8251e-715f-4de7-a390-eb5b053de0f6@redhat.com> (raw)
In-Reply-To: <87sekqmapy.fsf@pond.sub.org>
On 5/27/25 15:42, Markus Armbruster wrote:
> Paolo Bonzini <pbonzini@redhat.com> writes:
>
>> Rust makes the current file available as a statically-allocated string,
>> but without a NUL terminator. Allow this by storing an optional maximum
>> length in the Error.
>>
>> Note that for portability I am not relying on fprintf's precision
>> specifier not accessing memory beyond what will be printed.
>
> Can you elaborate on the portability problem? I figure ...
>
>> {
>> if (errp == &error_abort) {
>> + const char *src = err->src;
>> + if (err->src_len >= 0) {
>> + /* No need to free it, the program will abort very soon... */
>> + src = g_strndup(err->src, err->src_len);
>> + }
>> fprintf(stderr, "Unexpected error in %s() at %s:%d:\n",
>> - err->func, err->src, err->line);
>> + err->func, src, err->line);
>
> ... you're avoiding the simpler
>
> fprintf(stderr, "Unexpected error in %s() at %.*s:%d:\n",
> err->func, err->src_len, err->src, err->line);
>
> because of it.
I couldn't find anything that says %s is allowed to not be
NUL-terminated if a precision is given. That is, whether something like
this:
char foo[] = {'H', 'e', 'l', 'l', 'o'};
printf("%.5s\n", foo);
is guaranteed to work.
This is opposed to:
1) strnlen
(https://pubs.opengroup.org/onlinepubs/9699919799/functions/strnlen.html),
which is guaranteed to examine no more than the number of bytes given by
the second character;
2) strndup, for which I found at least a clarification at
https://www.austingroupbugs.net/view.php?id=1397.
3) g_strndup, which guarantees that the allocated block is of length n+1
and padded with NULs (though in the case above there will be just one
NUL anyway)
And also, for strndup/g_strndup it would be quite asinine to implement
it using some kind of min(strlen(s), n) but for printf the complexity is
greater so you never know. I erred on the side of caution because
avoiding an allocation before an abort() isn't particularly interesting.
Paolo
next prev parent reply other threads:[~2025-05-27 14:35 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-26 14:22 [PATCH 00/12] rust: bindings for Error Paolo Bonzini
2025-05-26 14:24 ` [PATCH 01/12] rust: make declaration of dependent crates more consistent Paolo Bonzini
2025-05-27 9:35 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 02/12] subprojects: add the anyhow crate Paolo Bonzini
2025-05-27 9:45 ` Zhao Liu
2025-05-27 9:52 ` Paolo Bonzini
2025-05-26 14:24 ` [PATCH 03/12] subprojects: add the foreign crate Paolo Bonzini
2025-05-29 8:13 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 04/12] util/error: expose Error definition to Rust code Paolo Bonzini
2025-05-27 13:33 ` Markus Armbruster
2025-05-26 14:24 ` [PATCH 05/12] util/error: allow non-NUL-terminated err->src Paolo Bonzini
2025-05-27 13:42 ` Markus Armbruster
2025-05-27 14:34 ` Paolo Bonzini [this message]
2025-05-28 10:44 ` Markus Armbruster
2025-05-26 14:24 ` [PATCH 06/12] util/error: make func optional Paolo Bonzini
2025-05-28 8:20 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 07/12] qemu-api: add bindings to Error Paolo Bonzini
2025-05-28 9:49 ` Markus Armbruster
2025-05-28 10:45 ` Paolo Bonzini
2025-05-28 13:12 ` Markus Armbruster
2025-05-26 14:24 ` [PATCH 08/12] rust: qdev: support returning errors from realize Paolo Bonzini
2025-05-29 9:18 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 09/12] rust/hpet: change timer of num_timers to usize Paolo Bonzini
2025-05-29 9:11 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 10/12] hpet: return errors from realize if properties are incorrect Paolo Bonzini
2025-05-27 14:01 ` Markus Armbruster
2025-05-29 8:39 ` Zhao Liu
2025-05-26 14:24 ` [PATCH 11/12] rust/hpet: " Paolo Bonzini
2025-05-29 9:15 ` Zhao Liu
2025-05-29 8:56 ` Paolo Bonzini
2025-05-26 14:24 ` [PATCH 12/12] rust/hpet: Drop BqlCell wrapper for num_timers Paolo Bonzini
2025-05-29 9:17 ` Zhao Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=feb8251e-715f-4de7-a390-eb5b053de0f6@redhat.com \
--to=pbonzini@redhat.com \
--cc=armbru@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-rust@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).