From: Jeff King <peff@peff.net>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: Junio C Hamano <gitster@pobox.com>,
git@vger.kernel.org, Stefan Beller <sbeller@google.com>
Subject: Re: [PATCH 1/2] introduce "banned function" list
Date: Fri, 20 Jul 2018 13:56:03 -0400 [thread overview]
Message-ID: <20180720175602.GC22486@sigill.intra.peff.net> (raw)
In-Reply-To: <20180720132241.GN30706@thunk.org>
On Fri, Jul 20, 2018 at 09:22:41AM -0400, Theodore Y. Ts'o wrote:
> On Thu, Jul 19, 2018 at 09:08:08PM -0400, Jeff King wrote:
> > Ditto for sprintf, where you should _always_ be using at least xsnprintf
> > (or some better tool, depending on the situation). And for strncpy,
> > strlcpy (or again, some better tool) is strictly an improvement.
>
> Nitpick: this may be true for git, but it's not strictly true in all
> cases. I actually have a (non-git) case where strncpy *is* the right
> tool. And this is one where I'm copying a NUL-terminated string into
> a fixed-length charater array (in the ext4 superblock) which is *not*
> NUL-terminated. In that case, strncpy works(); but strlcpy() does not
> do what I want.
Thanks for an interesting (and exotic) counter-point. For strcpy(), you
always have to run strlen() anyway to know you're not going to overflow,
so you might as well memcpy() at that point. But if you really are OK
with truncation, then using strncpy() lets you copy while walking over
the string only once, which is more efficient. On the other hand,
strncpy() fills out NULs to the end of the destination array, so you are
paying an extra cost for small strings.
> So I used strncpy() advisedly, and I ignore people running Coccinelle
> scripts and blindly sending patches to "fix" ext4.
Even after hearing your counter-point, I think I'm still OK with the
ban. Because as you've noticed, even if the call is fine, it carries an
ongoing maintenance cost. Every time you (or somebody else) audits, you
have to skip over that known-good call. And you have to deal with
well-meaning patches. So to me there's value in eliminating it even if
it's an acceptable tool.
We don't have any remaining calls to strncpy() in Git, so this lets us
punt on deciding if the ban is worth changing what's there. We can wait
for somebody to decide they _really_ need strncpy, and we can discuss it
then with a concrete case.
> But perhaps that's also a solution for git? You don't have to
> necessarily put them on a banned list; you could instead have some
> handy, pre-set scripts that scan the entire code base looking for
> "bad" functions with cleanups automatically suggested. This could be
> run at patch review time, and/or periodically (especially before a
> release).
We do this already with coccinelle for some transformations. But I think
there's real value in linting that's always run, and is cheap. Catching
these things early means we don't have to spend time on them in review,
or dealing with follow-up patches.
-Peff
next prev parent reply other threads:[~2018-07-20 17:56 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-19 20:33 [PATCH 0/2] fail compilation with strcpy Jeff King
2018-07-19 20:39 ` [PATCH 1/2] introduce "banned function" list Jeff King
2018-07-19 21:11 ` Eric Sunshine
2018-07-19 21:27 ` Jeff King
2018-07-19 21:59 ` Eric Sunshine
2018-07-20 0:55 ` Jeff King
2018-07-19 21:15 ` Stefan Beller
2018-07-19 21:32 ` Jeff King
2018-07-19 21:47 ` Stefan Beller
2018-07-20 0:54 ` Jeff King
2018-07-19 22:46 ` Junio C Hamano
2018-07-19 23:55 ` Randall S. Becker
2018-07-20 1:08 ` Jeff King
2018-07-20 1:12 ` Jeff King
2018-07-20 9:32 ` Junio C Hamano
2018-07-20 17:45 ` Jeff King
2018-07-20 13:22 ` Theodore Y. Ts'o
2018-07-20 17:56 ` Jeff King [this message]
2018-07-20 19:03 ` Junio C Hamano
2018-07-20 12:42 ` Derrick Stolee
2018-07-20 14:41 ` Duy Nguyen
2018-07-20 17:48 ` Elijah Newren
2018-07-20 18:04 ` Jeff King
2018-07-20 18:00 ` Jeff King
2018-07-19 20:39 ` [PATCH 2/2] banned.h: mark strncpy as banned Jeff King
2018-07-19 21:12 ` Ævar Arnfjörð Bjarmason
2018-07-19 21:33 ` Jeff King
2018-07-20 18:58 ` [PATCH 0/2] fail compilation with strcpy Junio C Hamano
2018-07-20 19:18 ` Jeff King
2018-07-20 21:50 ` Junio C Hamano
2018-07-24 9:23 ` [PATCH v2 0/4] " Jeff King
2018-07-24 9:26 ` [PATCH v2 1/4] automatically ban strcpy() Jeff King
2018-07-24 17:20 ` Eric Sunshine
2018-07-26 6:58 ` Jeff King
2018-07-26 7:21 ` [PATCH v3 " Jeff King
2018-07-26 17:33 ` Junio C Hamano
2018-07-27 8:08 ` Jeff King
2018-07-27 17:34 ` Junio C Hamano
2018-07-28 9:24 ` Jeff King
2018-07-24 9:26 ` [PATCH v2 2/4] banned.h: mark strcat() as banned Jeff King
2018-07-24 9:27 ` [PATCH v2 3/4] banned.h: mark sprintf() " Jeff King
2018-07-24 9:28 ` [PATCH v2 4/4] banned.h: mark strncpy() " Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180720175602.GC22486@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=sbeller@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).