[PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Elia Pinto]

Fix the LGTM warning of the rule that finds uses of the assignment
operator = in places where the equality operator == would
make more sense.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
 ident.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ident.c b/ident.c
index e666ee4e59..07f2f03b0a 100644
--- a/ident.c
+++ b/ident.c
@@ -172,12 +172,15 @@ const char *ident_default_email(void)
 			strbuf_addstr(&git_default_email, email);
 			committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
 			author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
-		} else if ((email = query_user_email()) && email[0]) {
-			strbuf_addstr(&git_default_email, email);
-			free((char *)email);
-		} else
-			copy_email(xgetpwuid_self(&default_email_is_bogus),
+		} else {
+			email = query_user_email();
+			if (email && email[0]) {
+				strbuf_addstr(&git_default_email, email);
+				free((char *)email);
+			} else
+				copy_email(xgetpwuid_self(&default_email_is_bogus),
 				   &git_default_email, &default_email_is_bogus);
+		}
 		strbuf_trim(&git_default_email);
 	}
 	return git_default_email.buf;
-- 
2.24.0.rc0.467.g566ccdd3e4.dirty

[PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Elia Pinto]

Fix the LGTM warning fired by the rule that finds code that could convert the result of an integer
multiplication to a larger type. Since the conversion applies after the multiplication,
arithmetic overflow may still occur.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
 commit-graph.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/commit-graph.c b/commit-graph.c
index a0f868522b..0be15f1cd4 100644
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -1415,8 +1415,8 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
 
 	chunk_offsets[0] = 8 + (num_chunks + 1) * GRAPH_CHUNKLOOKUP_WIDTH;
 	chunk_offsets[1] = chunk_offsets[0] + GRAPH_FANOUT_SIZE;
-	chunk_offsets[2] = chunk_offsets[1] + hashsz * ctx->commits.nr;
-	chunk_offsets[3] = chunk_offsets[2] + (hashsz + 16) * ctx->commits.nr;
+	chunk_offsets[2] = chunk_offsets[1] + (uint64_t)hashsz * ctx->commits.nr;
+	chunk_offsets[3] = chunk_offsets[2] + ((uint64_t)hashsz + 16) * ctx->commits.nr;
 
 	num_chunks = 3;
 	if (ctx->num_extra_edges) {
@@ -1426,7 +1426,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
 	}
 	if (ctx->num_commit_graphs_after > 1) {
 		chunk_offsets[num_chunks + 1] = chunk_offsets[num_chunks] +
-						hashsz * (ctx->num_commit_graphs_after - 1);
+						(uint64_t)hashsz * (ctx->num_commit_graphs_after - 1);
 		num_chunks++;
 	}
 
@@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
 			    num_chunks);
 		ctx->progress = start_delayed_progress(
 			progress_title.buf,
-			num_chunks * ctx->commits.nr);
+			(uint64_t)num_chunks * ctx->commits.nr);
 	}
 	write_graph_chunk_fanout(f, ctx);
 	write_graph_chunk_oids(f, hashsz, ctx);
-- 
2.24.0.rc0.467.g566ccdd3e4.dirty

[PATCH 32/32] date.c: fix code that may overflow 'int' before it is converted to 'time_t'

[Elia Pinto]

Fix the LGTM warning fired by the rule that finds code that could convert the result of an integer
multiplication to a larger type. Since the conversion applies after the multiplication,
arithmetic overflow may still occur.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
 date.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/date.c b/date.c
index 041db7db4e..b8dcbdbb0e 100644
--- a/date.c
+++ b/date.c
@@ -1172,7 +1172,7 @@ static const char *approxidate_alpha(const char *date, struct tm *tm, struct tm
 	while (tl->type) {
 		int len = strlen(tl->type);
 		if (match_string(date, tl->type) >= len-1) {
-			update_tm(tm, now, tl->length * *num);
+			update_tm(tm, now, (time_t)tl->length * *num);
 			*num = 0;
 			*touched = 1;
 			return end;
-- 
2.24.0.rc0.467.g566ccdd3e4.dirty

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[SZEDER Gábor]

On Mon, Nov 04, 2019 at 09:59:21AM +0000, Elia Pinto wrote:
> Fix the LGTM warning of the rule that finds uses of the assignment

What is an "LGTM warning"?

I think including the actual compiler warning in the commit message
would be great.

> operator = in places where the equality operator == would
> make more sense.
> 
> Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
> ---
>  ident.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/ident.c b/ident.c
> index e666ee4e59..07f2f03b0a 100644
> --- a/ident.c
> +++ b/ident.c
> @@ -172,12 +172,15 @@ const char *ident_default_email(void)
>  			strbuf_addstr(&git_default_email, email);
>  			committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
>  			author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> -		} else if ((email = query_user_email()) && email[0]) {
> -			strbuf_addstr(&git_default_email, email);
> -			free((char *)email);
> -		} else
> -			copy_email(xgetpwuid_self(&default_email_is_bogus),
> +		} else {
> +			email = query_user_email();
> +			if (email && email[0]) {
> +				strbuf_addstr(&git_default_email, email);
> +				free((char *)email);
> +			} else
> +				copy_email(xgetpwuid_self(&default_email_is_bogus),
>  				   &git_default_email, &default_email_is_bogus);
> +		}
>  		strbuf_trim(&git_default_email);
>  	}
>  	return git_default_email.buf;
> -- 
> 2.24.0.rc0.467.g566ccdd3e4.dirty
> 

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Elia Pinto]

Il giorno lun 4 nov 2019 alle ore 11:26 SZEDER Gábor
<szeder.dev@gmail.com> ha scritto:
>
> On Mon, Nov 04, 2019 at 09:59:21AM +0000, Elia Pinto wrote:
> > Fix the LGTM warning of the rule that finds uses of the assignment
>
> What is an "LGTM warning"?
>
> I think including the actual compiler warning in the commit message
> would be great.
Yes indeed. I thought I did it, do you think i can do better? Thanks

https://lgtm.com/rules/2158670641/
>
> > operator = in places where the equality operator == would
> > make more sense.
> >
> > Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
> > ---
> >  ident.c | 13 ++++++++-----
> >  1 file changed, 8 insertions(+), 5 deletions(-)
> >
> > diff --git a/ident.c b/ident.c
> > index e666ee4e59..07f2f03b0a 100644
> > --- a/ident.c
> > +++ b/ident.c
> > @@ -172,12 +172,15 @@ const char *ident_default_email(void)
> >                       strbuf_addstr(&git_default_email, email);
> >                       committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> >                       author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> > -             } else if ((email = query_user_email()) && email[0]) {
> > -                     strbuf_addstr(&git_default_email, email);
> > -                     free((char *)email);
> > -             } else
> > -                     copy_email(xgetpwuid_self(&default_email_is_bogus),
> > +             } else {
> > +                     email = query_user_email();
> > +                     if (email && email[0]) {
> > +                             strbuf_addstr(&git_default_email, email);
> > +                             free((char *)email);
> > +                     } else
> > +                             copy_email(xgetpwuid_self(&default_email_is_bogus),
> >                                  &git_default_email, &default_email_is_bogus);
> > +             }
> >               strbuf_trim(&git_default_email);
> >       }
> >       return git_default_email.buf;
> > --
> > 2.24.0.rc0.467.g566ccdd3e4.dirty
> >

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Phillip Wood]

Hi Elia

On 04/11/2019 13:55, Elia Pinto wrote:
> Il giorno lun 4 nov 2019 alle ore 11:26 SZEDER Gábor
> <szeder.dev@gmail.com> ha scritto:
>>
>> On Mon, Nov 04, 2019 at 09:59:21AM +0000, Elia Pinto wrote:
>>> Fix the LGTM warning of the rule that finds uses of the assignment
>>
>> What is an "LGTM warning"?
>>
>> I think including the actual compiler warning in the commit message
>> would be great.
> Yes indeed. I thought I did it, do you think i can do better? Thanks
> 
> https://lgtm.com/rules/2158670641/

It would have been helpful to explain that LGTM was a static analyser 
for those of us who did not know. As far the patch is concerned I'm not 
convinced it is an improvement. There are loads of places where git uses 
this pattern ("git grep 'if (([^=)]*=[^)]*)' | wc" shows 212). So long 
as the assignment is inside its own set of parentheses it's safe and gcc 
will warn if the parentheses are missing.

Best Wishes

Phillip

>>
>>> operator = in places where the equality operator == would
>>> make more sense.
>>>
>>> Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
>>> ---
>>>   ident.c | 13 ++++++++-----
>>>   1 file changed, 8 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/ident.c b/ident.c
>>> index e666ee4e59..07f2f03b0a 100644
>>> --- a/ident.c
>>> +++ b/ident.c
>>> @@ -172,12 +172,15 @@ const char *ident_default_email(void)
>>>                        strbuf_addstr(&git_default_email, email);
>>>                        committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
>>>                        author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
>>> -             } else if ((email = query_user_email()) && email[0]) {
>>> -                     strbuf_addstr(&git_default_email, email);
>>> -                     free((char *)email);
>>> -             } else
>>> -                     copy_email(xgetpwuid_self(&default_email_is_bogus),
>>> +             } else {
>>> +                     email = query_user_email();
>>> +                     if (email && email[0]) {
>>> +                             strbuf_addstr(&git_default_email, email);
>>> +                             free((char *)email);
>>> +                     } else
>>> +                             copy_email(xgetpwuid_self(&default_email_is_bogus),
>>>                                   &git_default_email, &default_email_is_bogus);
>>> +             }
>>>                strbuf_trim(&git_default_email);
>>>        }
>>>        return git_default_email.buf;
>>> --
>>> 2.24.0.rc0.467.g566ccdd3e4.dirty
>>>

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Elia Pinto]

Il giorno lun 4 nov 2019 alle ore 16:11 Phillip Wood
<phillip.wood123@gmail.com> ha scritto:
>
> Hi Elia
>
> On 04/11/2019 13:55, Elia Pinto wrote:
> > Il giorno lun 4 nov 2019 alle ore 11:26 SZEDER Gábor
> > <szeder.dev@gmail.com> ha scritto:
> >>
> >> On Mon, Nov 04, 2019 at 09:59:21AM +0000, Elia Pinto wrote:
> >>> Fix the LGTM warning of the rule that finds uses of the assignment
> >>
> >> What is an "LGTM warning"?
> >>
> >> I think including the actual compiler warning in the commit message
> >> would be great.
> > Yes indeed. I thought I did it, do you think i can do better? Thanks
> >
> > https://lgtm.com/rules/2158670641/
>
> It would have been helpful to explain that LGTM was a static analyser
> for those of us who did not know. As far the patch is concerned I'm not
> convinced it is an improvement. There are loads of places where git uses
> this pattern ("git grep 'if (([^=)]*=[^)]*)' | wc" shows 212). So long
> as the assignment is inside its own set of parentheses it's safe and gcc
> will warn if the parentheses are missing.
>
LGTM only expresses a warning (actually it signals a possible error)
that refers directly to this
https://cwe.mitre.org/data/definitions/481.html. On which we can
hardly disagree, beyond the authority of the source. The reason LGTM
only identifies this as an error, and not the various apparently
analogous cases in the code I don't know, but it would certainly be
interesting to find out.

Thanks for the review
> Best Wishes
>
> Phillip
>
> >>
> >>> operator = in places where the equality operator == would
> >>> make more sense.
> >>>
> >>> Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
> >>> ---
> >>>   ident.c | 13 ++++++++-----
> >>>   1 file changed, 8 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/ident.c b/ident.c
> >>> index e666ee4e59..07f2f03b0a 100644
> >>> --- a/ident.c
> >>> +++ b/ident.c
> >>> @@ -172,12 +172,15 @@ const char *ident_default_email(void)
> >>>                        strbuf_addstr(&git_default_email, email);
> >>>                        committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> >>>                        author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> >>> -             } else if ((email = query_user_email()) && email[0]) {
> >>> -                     strbuf_addstr(&git_default_email, email);
> >>> -                     free((char *)email);
> >>> -             } else
> >>> -                     copy_email(xgetpwuid_self(&default_email_is_bogus),
> >>> +             } else {
> >>> +                     email = query_user_email();
> >>> +                     if (email && email[0]) {
> >>> +                             strbuf_addstr(&git_default_email, email);
> >>> +                             free((char *)email);
> >>> +                     } else
> >>> +                             copy_email(xgetpwuid_self(&default_email_is_bogus),
> >>>                                   &git_default_email, &default_email_is_bogus);
> >>> +             }
> >>>                strbuf_trim(&git_default_email);
> >>>        }
> >>>        return git_default_email.buf;
> >>> --
> >>> 2.24.0.rc0.467.g566ccdd3e4.dirty
> >>>

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Junio C Hamano]

Elia Pinto <gitter.spiros@gmail.com> writes:

Did I miss the first 29 patches (with what I see in this patch, I
do not know if I want to see them immediately, though ;-))?

> Fix the LGTM warning of the rule that finds uses of the assignment
> operator = in places where the equality operator == would
> make more sense.

I know you did not mean that existing

	} else if ((email = query_user_email()) && email[0]) {

better reads if it were written like so:

	} else if ((email == query_user_email()) && email[0]) {

but that is the only way how that sentence can be read (at least to
me) without looking at what the patch actually does.

As "email" has already been assigned to at this point in the
codeflow, I agree that, to an eye that does not (and is not willing
to spend cycles to) understand what the code is doing, the latter do
look more natural: "If the value of the variable is the same as the
return value of the query_user_email() function, and ...".  And if
"email" were a simpler arithmetic type it would have been even more
(iow, it is clear "email" is a character string from "&& email[0]",
so it is unlikely that "email == que()" is what the user intended).

So I am somewhat sympathetic to the "warnings" here, but not all
that much, especially if squelching makes the codeflow harder to
follow by introducing otherwise unnecessary nesting levels (like
this patch did).  I suspect that it might be possible to futher
restructure the code in such a way that we do not have to do an
assignment in a conditional without making the code deeply nested,
and that may perhaps be worth doing.

But the thing is, assignment in a cascading conditional is so useful
in avoiding pointless nesting of the code (imagine a reverse patch
of this one---which is easy to sell as cleaning-up and streamlining
the code).

So, I dunno.

> Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
> ---
>  ident.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/ident.c b/ident.c
> index e666ee4e59..07f2f03b0a 100644
> --- a/ident.c
> +++ b/ident.c
> @@ -172,12 +172,15 @@ const char *ident_default_email(void)
>  			strbuf_addstr(&git_default_email, email);
>  			committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
>  			author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> -		} else if ((email = query_user_email()) && email[0]) {
> -			strbuf_addstr(&git_default_email, email);
> -			free((char *)email);
> -		} else
> -			copy_email(xgetpwuid_self(&default_email_is_bogus),
> +		} else {
> +			email = query_user_email();
> +			if (email && email[0]) {
> +				strbuf_addstr(&git_default_email, email);
> +				free((char *)email);
> +			} else
> +				copy_email(xgetpwuid_self(&default_email_is_bogus),
>  				   &git_default_email, &default_email_is_bogus);
> +		}
>  		strbuf_trim(&git_default_email);
>  	}
>  	return git_default_email.buf;

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Junio C Hamano]

Elia Pinto <gitter.spiros@gmail.com> writes:

> Fix the LGTM warning fired by the rule that finds code that could convert the result of an integer
> multiplication to a larger type. Since the conversion applies after the multiplication,
> arithmetic overflow may still occur.

Overly long?

>  	chunk_offsets[0] = 8 + (num_chunks + 1) * GRAPH_CHUNKLOOKUP_WIDTH;
>  	chunk_offsets[1] = chunk_offsets[0] + GRAPH_FANOUT_SIZE;
> -	chunk_offsets[2] = chunk_offsets[1] + hashsz * ctx->commits.nr;
> -	chunk_offsets[3] = chunk_offsets[2] + (hashsz + 16) * ctx->commits.nr;
> +	chunk_offsets[2] = chunk_offsets[1] + (uint64_t)hashsz * ctx->commits.nr;
> +	chunk_offsets[3] = chunk_offsets[2] + ((uint64_t)hashsz + 16) * ctx->commits.nr;

chunk_offsets[] is u64[], while hashsz and is uint and
ctx->commits.nr is int.  OK.

> @@ -1426,7 +1426,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
>  	}
>  	if (ctx->num_commit_graphs_after > 1) {
>  		chunk_offsets[num_chunks + 1] = chunk_offsets[num_chunks] +
> -						hashsz * (ctx->num_commit_graphs_after - 1);
> +						(uint64_t)hashsz * (ctx->num_commit_graphs_after - 1);

Likewise.

> @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
>  			    num_chunks);
>  		ctx->progress = start_delayed_progress(
>  			progress_title.buf,
> -			num_chunks * ctx->commits.nr);
> +			(uint64_t)num_chunks * ctx->commits.nr);

Hmph, do we need this?  I understand that the second parameter to
the callee is u64, so the caller needs to come up with u64 without
overflow, but doesn't that automatically get promoted?

>  	}
>  	write_graph_chunk_fanout(f, ctx);
>  	write_graph_chunk_oids(f, hashsz, ctx);

Re: [PATCH 30/32] ident.c: fix LGTM warning on the possible abuse of the '=' operator

[Johannes Schindelin]

Hi,

On Wed, 6 Nov 2019, Junio C Hamano wrote:

> Elia Pinto <gitter.spiros@gmail.com> writes:
>
> Did I miss the first 29 patches (with what I see in this patch, I
> do not know if I want to see them immediately, though ;-))?
>
> > Fix the LGTM warning of the rule that finds uses of the assignment
> > operator = in places where the equality operator == would
> > make more sense.
>
> I know you did not mean that existing
>
> 	} else if ((email = query_user_email()) && email[0]) {
>
> better reads if it were written like so:
>
> 	} else if ((email == query_user_email()) && email[0]) {
>
> but that is the only way how that sentence can be read (at least to
> me) without looking at what the patch actually does.
>
> As "email" has already been assigned to at this point in the
> codeflow, I agree that, to an eye that does not (and is not willing
> to spend cycles to) understand what the code is doing, the latter do
> look more natural: "If the value of the variable is the same as the
> return value of the query_user_email() function, and ...".  And if
> "email" were a simpler arithmetic type it would have been even more
> (iow, it is clear "email" is a character string from "&& email[0]",
> so it is unlikely that "email == que()" is what the user intended).
>
> So I am somewhat sympathetic to the "warnings" here, but not all
> that much, especially if squelching makes the codeflow harder to
> follow by introducing otherwise unnecessary nesting levels (like
> this patch did).  I suspect that it might be possible to futher
> restructure the code in such a way that we do not have to do an
> assignment in a conditional without making the code deeply nested,
> and that may perhaps be worth doing.
>
> But the thing is, assignment in a cascading conditional is so useful
> in avoiding pointless nesting of the code (imagine a reverse patch
> of this one---which is easy to sell as cleaning-up and streamlining
> the code).
>
> So, I dunno.

For what it's worth, my reaction was exactly the same: I understand
how some developers might deem the assignment inside an `if ()`
condition undesirable, in Git's context I do strongly prefer the current
code over the version proposed in this patch.

Thanks,
Johannes

>
> > Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
> > ---
> >  ident.c | 13 ++++++++-----
> >  1 file changed, 8 insertions(+), 5 deletions(-)
> >
> > diff --git a/ident.c b/ident.c
> > index e666ee4e59..07f2f03b0a 100644
> > --- a/ident.c
> > +++ b/ident.c
> > @@ -172,12 +172,15 @@ const char *ident_default_email(void)
> >  			strbuf_addstr(&git_default_email, email);
> >  			committer_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> >  			author_ident_explicitly_given |= IDENT_MAIL_GIVEN;
> > -		} else if ((email = query_user_email()) && email[0]) {
> > -			strbuf_addstr(&git_default_email, email);
> > -			free((char *)email);
> > -		} else
> > -			copy_email(xgetpwuid_self(&default_email_is_bogus),
> > +		} else {
> > +			email = query_user_email();
> > +			if (email && email[0]) {
> > +				strbuf_addstr(&git_default_email, email);
> > +				free((char *)email);
> > +			} else
> > +				copy_email(xgetpwuid_self(&default_email_is_bogus),
> >  				   &git_default_email, &default_email_is_bogus);
> > +		}
> >  		strbuf_trim(&git_default_email);
> >  	}
> >  	return git_default_email.buf;
>

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Danh Doan]

On 2019-11-06 11:23:00 +0900, Junio C Hamano wrote:
> > @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
> >  			    num_chunks);
> >  		ctx->progress = start_delayed_progress(
> >  			progress_title.buf,
> > -			num_chunks * ctx->commits.nr);
> > +			(uint64_t)num_chunks * ctx->commits.nr);
> 
> Hmph, do we need this?  I understand that the second parameter to
> the callee is u64, so the caller needs to come up with u64 without
> overflow, but doesn't that automatically get promoted?

Neither num_chunks nor ctx->commits.nr is promoted because both of
them are int. The result of `num_chunks * ctx->commits.nr' will be int
and will be promoted to u64 to pass to caller.

-- 
Danh

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Junio C Hamano]

Danh Doan <congdanhqx@gmail.com> writes:

> On 2019-11-06 11:23:00 +0900, Junio C Hamano wrote:
>> > @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
>> >  			    num_chunks);
>> >  		ctx->progress = start_delayed_progress(
>> >  			progress_title.buf,
>> > -			num_chunks * ctx->commits.nr);
>> > +			(uint64_t)num_chunks * ctx->commits.nr);
>> 
>> Hmph, do we need this?  I understand that the second parameter to
>> the callee is u64, so the caller needs to come up with u64 without
>> overflow, but doesn't that automatically get promoted?
>
> Neither num_chunks nor ctx->commits.nr is promoted because both of
> them are int. The result of `num_chunks * ctx->commits.nr' will be int
> and will be promoted to u64 to pass to caller.

Ah, yes.  Thanks.

The commit title is about "integer multiplication", but can the same
issue arise with addition and subtraction as well, by the way?

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Danh Doan]

On 2019-11-07 12:37:00 +0900, Junio C Hamano wrote:
> Danh Doan <congdanhqx@gmail.com> writes:
> 
> > On 2019-11-06 11:23:00 +0900, Junio C Hamano wrote:
> >> > @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
> >> >  			    num_chunks);
> >> >  		ctx->progress = start_delayed_progress(
> >> >  			progress_title.buf,
> >> > -			num_chunks * ctx->commits.nr);
> >> > +			(uint64_t)num_chunks * ctx->commits.nr);
> >> 
> >> Hmph, do we need this?  I understand that the second parameter to
> >> the callee is u64, so the caller needs to come up with u64 without
> >> overflow, but doesn't that automatically get promoted?
> >
> > Neither num_chunks nor ctx->commits.nr is promoted because both of
> > them are int. The result of `num_chunks * ctx->commits.nr' will be int
> > and will be promoted to u64 to pass to caller.
> 
> Ah, yes.  Thanks.
> 
> The commit title is about "integer multiplication", but can the same
> issue arise with addition and subtraction as well, by the way?

Yes, the same issue will arise with all binary (and ternary) arithmetic operators
(+, -, *, /, %, ^, &, |, <<, >> and ?:).

IIRC, gcc doesn't have any warning for this kind of issue.

Microsoft Visual Studio (2017+) has C26451 for this.
https://docs.microsoft.com/en-us/visualstudio/code-quality/c26451?view=vs-2017
If our friends at Microsoft could help, we can check the remaining one
in our codebase.

-- 
Danh

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Johannes Schindelin]

Hi Danh,

On Thu, 7 Nov 2019, Danh Doan wrote:

> On 2019-11-06 11:23:00 +0900, Junio C Hamano wrote:
> > > @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
> > >  			    num_chunks);
> > >  		ctx->progress = start_delayed_progress(
> > >  			progress_title.buf,
> > > -			num_chunks * ctx->commits.nr);
> > > +			(uint64_t)num_chunks * ctx->commits.nr);
> >
> > Hmph, do we need this?  I understand that the second parameter to
> > the callee is u64, so the caller needs to come up with u64 without
> > overflow, but doesn't that automatically get promoted?
>
> Neither num_chunks nor ctx->commits.nr is promoted because both of
> them are int. The result of `num_chunks * ctx->commits.nr' will be int
> and will be promoted to u64 to pass to caller.

If you up-cast, maybe do the second operand so that nobody has to spend
cycles trying to remember whether the cast or the arithmetic operand
bind stronger? I.e. `num_chunks * (uint64_t)ctx->commits.nr`.

Ciao,
Dscho

Re: [PATCH 31/32] commit-graph.c: fix code that could convert the result of an integer multiplication to a larger type

[Johannes Schindelin]

Hi Danh,

On Thu, 7 Nov 2019, Danh Doan wrote:

> On 2019-11-07 12:37:00 +0900, Junio C Hamano wrote:
> > Danh Doan <congdanhqx@gmail.com> writes:
> >
> > > On 2019-11-06 11:23:00 +0900, Junio C Hamano wrote:
> > >> > @@ -1454,7 +1454,7 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
> > >> >  			    num_chunks);
> > >> >  		ctx->progress = start_delayed_progress(
> > >> >  			progress_title.buf,
> > >> > -			num_chunks * ctx->commits.nr);
> > >> > +			(uint64_t)num_chunks * ctx->commits.nr);
> > >>
> > >> Hmph, do we need this?  I understand that the second parameter to
> > >> the callee is u64, so the caller needs to come up with u64 without
> > >> overflow, but doesn't that automatically get promoted?
> > >
> > > Neither num_chunks nor ctx->commits.nr is promoted because both of
> > > them are int. The result of `num_chunks * ctx->commits.nr' will be int
> > > and will be promoted to u64 to pass to caller.
> >
> > Ah, yes.  Thanks.
> >
> > The commit title is about "integer multiplication", but can the same
> > issue arise with addition and subtraction as well, by the way?
>
> Yes, the same issue will arise with all binary (and ternary) arithmetic operators
> (+, -, *, /, %, ^, &, |, <<, >> and ?:).
>
> IIRC, gcc doesn't have any warning for this kind of issue.
>
> Microsoft Visual Studio (2017+) has C26451 for this.
> https://docs.microsoft.com/en-us/visualstudio/code-quality/c26451?view=vs-2017
> If our friends at Microsoft could help, we can check the remaining one
> in our codebase.

I am a bit busy right now, but it _was_ my hope that adding a Visual
Studio job to our Azure Pipeline would enable everybody to perform tests
like this one.

In other words, I _think_ that you can add something like

	#pragma warning(enable: 26451)

to `compat/msvc.h` and then open a PR at https://github.com/git/git, the
Azure Pipeline should produce precisely what you want.

(If I were you, I would also try to save some CO2 by ripping out all
jobs except the `vs_build` one from `azure-pipelines.yml`.)

Ciao,
Dscho