Re: [PATCH] refs: make sure we never pass NULL to hashcpy

[Thomas Gummerer <t.gummerer@gmail.com>]

On Wed, Sep 6, 2017 at 2:26 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Thomas Gummerer <t.gummerer@gmail.com> writes:
>
>> gcc on arch linux (version 7.1.1) warns that a NULL argument is passed
>> as the second parameter of memcpy.
>>
>> In file included from refs.c:5:0:
>> refs.c: In function ‘ref_transaction_verify’:
>> cache.h:948:2: error: argument 2 null where non-null expected [-Werror=nonnull]
>>   memcpy(sha_dst, sha_src, GIT_SHA1_RAWSZ);
>>   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> In file included from git-compat-util.h:165:0,
>>                  from cache.h:4,
>>                  from refs.c:5:
>> /usr/include/string.h:43:14: note: in a call to function ‘memcpy’ declared here
>>  extern void *memcpy (void *__restrict __dest, const void *__restrict __src,
>>               ^~~~~~
>> ...
>> diff --git a/refs.c b/refs.c
>> index ba22f4acef..d8c12a9c44 100644
>> --- a/refs.c
>> +++ b/refs.c
>> @@ -896,10 +896,14 @@ struct ref_update *ref_transaction_add_update(
>>
>>       update->flags = flags;
>>
>> -     if (flags & REF_HAVE_NEW)
>> +     if (flags & REF_HAVE_NEW) {
>> +             assert(new_sha1);
>>               hashcpy(update->new_oid.hash, new_sha1);
>> -     if (flags & REF_HAVE_OLD)
>> +     }
>> +     if (flags & REF_HAVE_OLD) {
>> +             assert(old_sha1);
>>               hashcpy(update->old_oid.hash, old_sha1);
>> +     }
>
> It is hugely annoying to see a halfway-intelligent compiler forces
> you to add such pointless asserts.
>
> The only way the compiler could error on this is by inferring the
> fact that new_sha1/old_sha1 could be NULL by looking at the callsite
> in ref_transaction_update() where these are used as conditionals to
> set HAVE_NEW/HAVE_OLD that are passed.  Even if the compiler were
> doing the whole-program analysis, the other two callsites of the
> function pass the address of oid.hash[] in an oid structure so it
> should know these won't be NULL.
>
> Or is the compiler being really dumb and triggering an error for
> every use of
>
>         memcpy(dst, src, size);
>
> that must now be written as
>
>         assert(src);
>         memcpy(dst, src, size);
>
> ???  That would be doubly annoying

No, I think it can't quite deal with the flags that are passed in.
I'm on a different
machine today, so I can't actually check, but that's what I would
expect at least.

> I wonder if REF_HAVE_NEW/REF_HAVE_OLD are really needed in these
> codepaths, though.  Perhaps we can instead declare !!new_sha1 means
> we have the new side and rewrite the above part to
>
>         if (new_sha1)
>                 hashcpy(update->new_oid.hash, new_sha1);
>
> without an extra and totally pointless assert()?

Yeah, that seems much nicer.  I'll try that and send a new a patch
(though I won't
get to it before tomorrow).  Thanks for the review.

>>       update->msg = xstrdup_or_null(msg);
>>       return update;
>>  }