On Fri, Jul 14, 2017 at 09:11:33AM -0700, Junio C Hamano wrote:
> As to other things that we currently not allow in our codebase that
> newer compilers can grok, here is what *I* think. It is *not* meant
> to be an exhaustive "what's new in C99 that is not in C89? what is
> the final verdict on each of them?":
>
> - There were occasional cases where we wished if variable-length
> arrays, flexible array members and variadic macros were available
> in our codebase during the course of this project. We would
> probably want to add a similar test baloon patch for each of
> them to this series that is currently two-patch long.
I think variable-length arrays are potentially dangerous. They're
allocated on the stack, which creates two issues:
1. You can run out of stack space and segfault, whereas the same
operation with a heap buffer would be fine. You can say "but this
VLA will only be used for small things". But then, you can just as
easily declare a small stack buffer.
2. My understanding of the recent "Stack Clash" class of
vulnerabilities[1] is that VLAs make the attacker's job much easier
(since they can often just send a large input to get you to
allocate a large stack).
I think variadic macros are a good candidate, though. There have been a
number of times where we've had to sacrifice functionality or
readability in our helper functions. E.g., the case mentioned in
368953912 (add helpers for allocating flex-array structs, 2016-02-22).
The weather-balloon patch for that should be easy, too: just drop the
fallback macros from BUG() or the trace code.
[1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
> - I prefer to keep decl-after-statement out of our codebase. I
> view it as a big plus in code-readability to be able to see a
> complete list of variables that will be used in a block upfront
> before starting to read the code that uses them.
>
> - Corollary to the above, I do not mind to have a variable
> declaration in the initialization clause of a for() statement
> (e.g. "for (int i = 0; i < 4; i++) { ... }"), as the scoping rule
> is very sensible. Some of our "for()" statements use the value
> of the variable after iteration, for which this new construct
> cannot be used, though.
I agree with both of those points. I think the decl-in-for is nice
exactly because it highlights those cases where the iteration variable's
value is relevant after the loop ends.
> - This may be showing I am not just old fashioned but also am
> ignorant, but I do not see much point in using the following in
> our codebase (iow, I am not aware of places in the existing code
> that they can be improved by employing these features):
>
> . // comments
> . restricted pointers
> . static and type qualifiers in parameter array declarators
Agreed, though I think the comment thing is a personal taste issue (just
not my taste).
> +static int clean_use_color = -1;
> +static char clean_colors[][COLOR_MAXLEN] = {
> + [CLEAN_COLOR_RESET] = GIT_COLOR_RESET,
> + [CLEAN_COLOR_PLAIN] = GIT_COLOR_NORMAL,
> + [CLEAN_COLOR_PROMPT] = GIT_COLOR_BOLD_BLUE,
> + [CLEAN_COLOR_HEADER] = GIT_COLOR_BOLD,
> + [CLEAN_COLOR_HELP] = GIT_COLOR_BOLD_RED,
> + [CLEAN_COLOR_ERROR] = GIT_COLOR_BOLD_RED,
> +};
I think this is much nicer to read. I assume if we have a "hole" in our
numbering that the hole is initialized in the usual static way (a
COLOR_MAXLEN array full of NULs in this case, I guess)?
-Peff
