Hi René,

On Thu, 20 Jun 2019, René Scharfe wrote:

> Subject: [PATCH] config: simplify unit suffix handling
>
> parse_unit_factor() checks if a K, M or G is present after a number and
> multiplies it by 2^10, 2^20 or 2^30, respectively.  One of its callers
> checks if the result is smaller than the number alone to detect
> overflows.  The other one passes 1 as the number and does multiplication
> and overflow check itself in a similar manner.
>
> This works, but is inconsistent, and it would break if we added support
> for a bigger unit factor.  E.g. 16777217T expands to 2^64 + 2^40, which
> is too big for a 64-bit number.  Modulo 2^64 we get 2^40 == 1TB, which
> is bigger than the raw number 16777217 == 2^24 + 1, so the overflow
> would go undetected by that method.
>
> Move the multiplication out of parse_unit_factor() and rename it to
> get_unit_factor() to signify its reduced functionality.  This partially

I do not necessarily think that the name `get_unit_factor()` is better,
given that we still parse the unit factor. I'd vote for keeping the
original name.

However, what _does_ make sense is to change that function to _really_
only parse the unit factor. That is, I would keep the exact signature, I
just would not multiply `*val` by the unit factor, I would overwrite it by
the unit factor instead.

At least that is what I would have expected, reading the name
`parse_unit_factor()`.

> reverts c8deb5a146 ("Improve error messages when int/long cannot be
> parsed from config", 2007-12-25), but keeps the improved error messages.
> Use a return value of 0 to signal an invalid suffix.

This comment should probably become a code comment above the function.

> And use unsigned_mult_overflows to check for an overflow *before* doing
> the actual multiplication, which is simpler and can deal with larger
> unit factors.

Makes sense.

> Signed-off-by: Rene Scharfe <l.s.r@web.de>

What, no accent?

> ---
> Patch generated with --function-context for easier reviewing.

Ooh, ooh, I did not know that flag. Neat!

> diff --git a/config.c b/config.c
> index 01c6e9df23..61a8bbb5cd 100644
> --- a/config.c
> +++ b/config.c
> @@ -834,51 +834,46 @@ static int git_parse_source(config_fn_t fn, void *data,
>  	return error_return;
>  }
>
> -static int parse_unit_factor(const char *end, uintmax_t *val)
> +static uintmax_t get_unit_factor(const char *end)

It has been a historical wart that the parameter was called `end`. Maybe
that could be fixed, "while at it"?

And as I said earlier, I do not see the need to change the signature
(including the function name) at all.

>  {
>  	if (!*end)
>  		return 1;
> -	else if (!strcasecmp(end, "k")) {
> -		*val *= 1024;
> -		return 1;
> -	}
> -	else if (!strcasecmp(end, "m")) {
> -		*val *= 1024 * 1024;
> -		return 1;
> -	}
> -	else if (!strcasecmp(end, "g")) {
> -		*val *= 1024 * 1024 * 1024;
> -		return 1;
> -	}
> +	if (!strcasecmp(end, "k"))
> +		return 1024;
> +	if (!strcasecmp(end, "m"))
> +		return 1024 * 1024;
> +	if (!strcasecmp(end, "g"))
> +		return 1024 * 1024 * 1024;
>  	return 0;
>  }
>
>  static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max)
>  {
>  	if (value && *value) {
>  		char *end;
>  		intmax_t val;
>  		uintmax_t uval;
> -		uintmax_t factor = 1;
> +		uintmax_t factor;

I'd keep this change, but...

>
>  		errno = 0;
>  		val = strtoimax(value, &end, 0);
>  		if (errno == ERANGE)
>  			return 0;
> -		if (!parse_unit_factor(end, &factor)) {
> +		factor = get_unit_factor(end);
> +		if (!factor) {

... drop this change, and...

>  			errno = EINVAL;
>  			return 0;
>  		}
>  		uval = val < 0 ? -val : val;
> -		uval *= factor;
> -		if (uval > max || (val < 0 ? -val : val) > uval) {
> +		if (unsigned_mult_overflows(factor, uval) ||
> +		    factor * uval > max) {

... again keep this change.

>  			errno = ERANGE;
>  			return 0;
>  		}
>  		val *= factor;
>  		*ret = val;
>  		return 1;
>  	}
>  	errno = EINVAL;
>  	return 0;
>  }
> @@ -886,26 +881,28 @@ static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max)
>  static int git_parse_unsigned(const char *value, uintmax_t *ret, uintmax_t max)
>  {
>  	if (value && *value) {
>  		char *end;
>  		uintmax_t val;
> -		uintmax_t oldval;
> +		uintmax_t factor;

Good.

>
>  		errno = 0;
>  		val = strtoumax(value, &end, 0);
>  		if (errno == ERANGE)
>  			return 0;
> -		oldval = val;
> -		if (!parse_unit_factor(end, &val)) {
> +		factor = get_unit_factor(end);
> +		if (!factor) {

Again, here I would strongly suggest the less intrusive change (with a
more intuitive outcome):

-		oldval = val;
-		if (!parse_unit_factor(end, &val)) {
+		if (!parse_unit_factor(end, &factor)) {

>  			errno = EINVAL;
>  			return 0;
>  		}
> -		if (val > max || oldval > val) {
> +		if (unsigned_mult_overflows(factor, val) ||
> +		    factor * val > max) {

And this is obviously a good change again.

>  			errno = ERANGE;
>  			return 0;
>  		}
> +		val *= factor;

As is this.

Thanks for working on this!
Dscho

>  		*ret = val;
>  		return 1;
>  	}
>  	errno = EINVAL;
>  	return 0;
>  }
> --
> 2.22.0
>