Jeff King <peff@xxxxxxxx> writes:
> On Fri, Oct 07, 2022 at 05:08:42PM +0200, René Scharfe wrote:
>
>> diff --git a/builtin/bisect--helper.c b/builtin/bisect--helper.c
>> index 501245fac9..28ef7ec2a4 100644
>> --- a/builtin/bisect--helper.c
>> +++ b/builtin/bisect--helper.c
>> @@ -765,11 +765,10 @@ static enum bisect_error bisect_start(struct bisect_terms *terms, const char **a
>> strbuf_read_file(&start_head, git_path_bisect_start(), 0);
>> strbuf_trim(&start_head);
>> if (!no_checkout) {
>> - struct strvec argv = STRVEC_INIT;
>> + const char *argv[] = { "checkout", start_head.buf,
>> + "--", NULL };
>>
>> - strvec_pushl(&argv, "checkout", start_head.buf,
>> - "--", NULL);
>> - if (run_command_v_opt(argv.v, RUN_GIT_CMD)) {
>> + if (run_command_v_opt(argv, RUN_GIT_CMD)) {
>
> This is OK with me, but note that one thing we lose is compiler
> protection that we remembered the trailing NULL pointer in the argv
> array (whereas strvec_pushl() has an attribute that makes sure the last
> argument is a NULL).
The first parameter to run_command_v_opt() must be a NULL terminated
array of strings. argv.v[] after strvec_push*() is such a NULL
terminated array, and is suitable to be passed to the function.
That much human programmers would know.
But does the compiler know that run_command_v_opt() requires a NULL
terminated array of strings, and does it know to check that argv.v[]
came from strvec_pushl() without any annotation in the first place?
For such a check to happen, I think we need to tell the compiler
with some annotation that the first parameter to run_command_v_opt()
is supposed to be a NULL terminated char *[] array.
In the code before the patch, strvec_pushl() is annotated to require
the last arg to be NULL, but without following data/control flow, it
may not be clear to the compiler that argv.v[] will be NULL terminated
after the function returns. If the compiler is sufficiently clever
to figure it out, with the knowledge that run_command_v_opt() must
be given a NULL terminated array of strings, we do have compiler
protection to make the run_command_v_opt() safe.
But if the code tells the compiler that run_command_v_opt() must be
given a NULL terminated array of strings, it is obvious that the
array passed by the code after the patch, i.e. argv[], is NULL
terminated, and the compiler would be happy, as well.
> Probably not that big a deal in practice. It would be nice if there was
> a way to annotate this for the compiler, but I don't think there's any
> attribute for "this pointer-to-pointer parameter should have a NULL at
> the end".
But the code before this patch is safe only for strvec_pushl() call,
not run_command_v_opt() call, so we are not losing anything, I would
think.
