On Wed, Sep 13, 2017 at 02:09:27PM -0700, Jonathan Nieder wrote: > > We ask to write 41 bytes and make sure that the return value > > is at least 41. This is the same "dangerous" pattern that > > was fixed in the prior commit (wherein a negative return > > value is promoted to unsigned), though it is not dangerous > > here because our "41" is a constant, not an unsigned > > variable. > > > > But we should convert it anyway to avoid modeling a > > dangerous construct. > > > > Signed-off-by: Jeff King <peff@xxxxxxxx> > > --- > > builtin/get-tar-commit-id.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > I kind of disagree with calling this dangerous (and I think that is > what you alluded to above by putting it in quotes), but I like the > postimage more than the preimage. Right, this instance is fine, but the pattern of using "<" is not. If you swapped out "41" for: size_t len = 41; then it would be a bug. Which I think would surprise most people. > The variable 'n' could be eliminated to simplify this further. I > realize that would go against the spirit of this patch, but (1) it's > on-topic for the patch, since it is another ssize_t vs constant > comparison and (2) as mentioned elsewhere in this thread, it's a very > common idiom with read_in_full. If we want to eliminate it then we > could introduce a separate helper to distinguish between > read_this_much_i_mean_it and read_this_much_or_to_eof. Yes, I noticed that, too, after you brought up read_in_full() as a potential source of problems. But I would rather deal with read_in_full() separately on top. Can you do it as a separate patch on top (possibly with other read_in_full() cleanups, though I think this is the only "<" case that exists). -Peff
