Hi René,
On Thu, 20 Jun 2019, René Scharfe wrote:
> Subject: [PATCH] config: simplify unit suffix handling
>
> parse_unit_factor() checks if a K, M or G is present after a number and
> multiplies it by 2^10, 2^20 or 2^30, respectively. One of its callers
> checks if the result is smaller than the number alone to detect
> overflows. The other one passes 1 as the number and does multiplication
> and overflow check itself in a similar manner.
>
> This works, but is inconsistent, and it would break if we added support
> for a bigger unit factor. E.g. 16777217T expands to 2^64 + 2^40, which
> is too big for a 64-bit number. Modulo 2^64 we get 2^40 == 1TB, which
> is bigger than the raw number 16777217 == 2^24 + 1, so the overflow
> would go undetected by that method.
>
> Move the multiplication out of parse_unit_factor() and rename it to
> get_unit_factor() to signify its reduced functionality. This partially
I do not necessarily think that the name `get_unit_factor()` is better,
given that we still parse the unit factor. I'd vote for keeping the
original name.
However, what _does_ make sense is to change that function to _really_
only parse the unit factor. That is, I would keep the exact signature, I
just would not multiply `*val` by the unit factor, I would overwrite it by
the unit factor instead.
At least that is what I would have expected, reading the name
`parse_unit_factor()`.
> reverts c8deb5a146 ("Improve error messages when int/long cannot be
> parsed from config", 2007-12-25), but keeps the improved error messages.
> Use a return value of 0 to signal an invalid suffix.
This comment should probably become a code comment above the function.
> And use unsigned_mult_overflows to check for an overflow *before* doing
> the actual multiplication, which is simpler and can deal with larger
> unit factors.
Makes sense.
> Signed-off-by: Rene Scharfe <l.s.r@xxxxxx>
What, no accent?
> ---
> Patch generated with --function-context for easier reviewing.
Ooh, ooh, I did not know that flag. Neat!
> diff --git a/config.c b/config.c
> index 01c6e9df23..61a8bbb5cd 100644
> --- a/config.c
> +++ b/config.c
> @@ -834,51 +834,46 @@ static int git_parse_source(config_fn_t fn, void *data,
> return error_return;
> }
>
> -static int parse_unit_factor(const char *end, uintmax_t *val)
> +static uintmax_t get_unit_factor(const char *end)
It has been a historical wart that the parameter was called `end`. Maybe
that could be fixed, "while at it"?
And as I said earlier, I do not see the need to change the signature
(including the function name) at all.
> {
> if (!*end)
> return 1;
> - else if (!strcasecmp(end, "k")) {
> - *val *= 1024;
> - return 1;
> - }
> - else if (!strcasecmp(end, "m")) {
> - *val *= 1024 * 1024;
> - return 1;
> - }
> - else if (!strcasecmp(end, "g")) {
> - *val *= 1024 * 1024 * 1024;
> - return 1;
> - }
> + if (!strcasecmp(end, "k"))
> + return 1024;
> + if (!strcasecmp(end, "m"))
> + return 1024 * 1024;
> + if (!strcasecmp(end, "g"))
> + return 1024 * 1024 * 1024;
> return 0;
> }
>
> static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max)
> {
> if (value && *value) {
> char *end;
> intmax_t val;
> uintmax_t uval;
> - uintmax_t factor = 1;
> + uintmax_t factor;
I'd keep this change, but...
>
> errno = 0;
> val = strtoimax(value, &end, 0);
> if (errno == ERANGE)
> return 0;
> - if (!parse_unit_factor(end, &factor)) {
> + factor = get_unit_factor(end);
> + if (!factor) {
... drop this change, and...
> errno = EINVAL;
> return 0;
> }
> uval = val < 0 ? -val : val;
> - uval *= factor;
> - if (uval > max || (val < 0 ? -val : val) > uval) {
> + if (unsigned_mult_overflows(factor, uval) ||
> + factor * uval > max) {
... again keep this change.
> errno = ERANGE;
> return 0;
> }
> val *= factor;
> *ret = val;
> return 1;
> }
> errno = EINVAL;
> return 0;
> }
> @@ -886,26 +881,28 @@ static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max)
> static int git_parse_unsigned(const char *value, uintmax_t *ret, uintmax_t max)
> {
> if (value && *value) {
> char *end;
> uintmax_t val;
> - uintmax_t oldval;
> + uintmax_t factor;
Good.
>
> errno = 0;
> val = strtoumax(value, &end, 0);
> if (errno == ERANGE)
> return 0;
> - oldval = val;
> - if (!parse_unit_factor(end, &val)) {
> + factor = get_unit_factor(end);
> + if (!factor) {
Again, here I would strongly suggest the less intrusive change (with a
more intuitive outcome):
- oldval = val;
- if (!parse_unit_factor(end, &val)) {
+ if (!parse_unit_factor(end, &factor)) {
> errno = EINVAL;
> return 0;
> }
> - if (val > max || oldval > val) {
> + if (unsigned_mult_overflows(factor, val) ||
> + factor * val > max) {
And this is obviously a good change again.
> errno = ERANGE;
> return 0;
> }
> + val *= factor;
As is this.
Thanks for working on this!
Dscho
> *ret = val;
> return 1;
> }
> errno = EINVAL;
> return 0;
> }
> --
> 2.22.0
>
