Web lists-archives.com

Re: [PATCH] strbuf: use designated initializers in STRBUF_INIT




On Fri, Jul 14, 2017 at 09:11:33AM -0700, Junio C Hamano wrote:

> As to other things that we currently not allow in our codebase that
> newer compilers can grok, here is what *I* think.  It is *not* meant
> to be an exhaustive "what's new in C99 that is not in C89? what is
> the final verdict on each of them?":
> 
>  - There were occasional cases where we wished if variable-length
>    arrays, flexible array members and variadic macros were available
>    in our codebase during the course of this project.  We would
>    probably want to add a similar test baloon patch for each of
>    them to this series that is currently two-patch long.

I think variable-length arrays are potentially dangerous. They're
allocated on the stack, which creates two issues:

  1. You can run out of stack space and segfault, whereas the same
     operation with a heap buffer would be fine. You can say "but this
     VLA will only be used for small things". But then, you can just as
     easily declare a small stack buffer.

  2. My understanding of the recent "Stack Clash" class of
     vulnerabilities[1] is that VLAs make the attacker's job much easier
     (since they can often just send a large input to get you to
     allocate a large stack).

I think variadic macros are a good candidate, though. There have been a
number of times where we've had to sacrifice functionality or
readability in our helper functions. E.g., the case mentioned in
368953912 (add helpers for allocating flex-array structs, 2016-02-22).

The weather-balloon patch for that should be easy, too: just drop the
fallback macros from BUG() or the trace code.

[1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

>  - I prefer to keep decl-after-statement out of our codebase.  I
>    view it as a big plus in code-readability to be able to see a
>    complete list of variables that will be used in a block upfront
>    before starting to read the code that uses them.
> 
>  - Corollary to the above, I do not mind to have a variable
>    declaration in the initialization clause of a for() statement
>    (e.g. "for (int i = 0; i < 4; i++) { ... }"), as the scoping rule
>    is very sensible.  Some of our "for()" statements use the value
>    of the variable after iteration, for which this new construct
>    cannot be used, though.

I agree with both of those points. I think the decl-in-for is nice
exactly because it highlights those cases where the iteration variable's
value is relevant after the loop ends.

>  - This may be showing I am not just old fashioned but also am
>    ignorant, but I do not see much point in using the following in
>    our codebase (iow, I am not aware of places in the existing code
>    that they can be improved by employing these features):
> 
>    . // comments
>    . restricted pointers
>    . static and type qualifiers in parameter array declarators

Agreed, though I think the comment thing is a personal taste issue (just
not my taste).

> +static int clean_use_color = -1;
> +static char clean_colors[][COLOR_MAXLEN] = {
> +	[CLEAN_COLOR_RESET] = GIT_COLOR_RESET,
> +	[CLEAN_COLOR_PLAIN] = GIT_COLOR_NORMAL,
> +	[CLEAN_COLOR_PROMPT] = GIT_COLOR_BOLD_BLUE,
> +	[CLEAN_COLOR_HEADER] = GIT_COLOR_BOLD,
> +	[CLEAN_COLOR_HELP] = GIT_COLOR_BOLD_RED,
> +	[CLEAN_COLOR_ERROR] = GIT_COLOR_BOLD_RED,
> +};

I think this is much nicer to read. I assume if we have a "hole" in our
numbering that the hole is initialized in the usual static way (a
COLOR_MAXLEN array full of NULs in this case, I guess)?

-Peff