On Tue, Oct 10, 2023 at 08:08:05PM -0400, Taylor Blau wrote:
> Nice. This makes sense and seems like an obvious improvement over the
> existing code.
>
> I wonder how common this pattern is. We have read_chunk() which is for
> handling more complex scenarios than this. But the safe version of
> pair_chunk() really just wants to check that the size of the chunk is as
> expected and assign the location in the mmap to some pointer.
Sometimes yes, sometimes no. For fixed-size ones like this, that's
sufficient. For others we have to record the size and use it for later
bounds-checking. IIRC it's about 50/50 between the two.
> Do you think it would be worth changing pair_chunk() to take an expected
> size_t and handle this generically? I.e. have a version of
> chunk-format::pair_chunk_fn() that looks something like:
>
> static int pair_chunk_fn(const unsigned char *chunk_start,
> size_t chunk_size, void *data)
> {
> const unsigned char **p = data;
> if (chunk_size != data->size)
> return -1;
> *p = chunk_start;
> return 0;
> }
>
> and then our call here would be:
>
> if (pair_chunk(cf, GRAPH_CHUNKID_OIDFANOUT,
> (const unsigned char **)&graph->chunk_oid_fanout,
> 256 * sizeof(uint32_t)) < 0)
> return error("commit-graph oid fanout chunk is wrong size");
>
> I dunno. It's hard to have a more concrete recomendation without having
> read the rest of the series. So it's possible that this is just complete
> nonsense ;-). But my hunch is that there are a number of callers that
> would benefit from having this built in.
I don't think it's nonsense, and I do think other callers would benefit.
On the other hand, I kind of like the notion that there is a complete
validation callback for each of these chunks. Even though it just checks
the size for now, it could handle other things. In the case of OIDF, for
example, we can check whether the entries are monotonic. It's just that
we happen to do those checks elsewhere.
Hmm, actually, looking at that again, I think I may have missed a case
in patch 6. For pack .idx files, we check the fanout table when they are
loaded. And patch 6 adds the same for commit-graph files. I thought midx
files were handled the same .idx, but looking at it again, I only see
the monotonicity check in the "multi-pack-index verify" code paths. So
it might need the same treatment.
I'm not sure how I missed that (I started by making a corrupted midx
first and couldn't get it to fail, which is when I discovered the
existing checks, but maybe I am mixing up .idx and midx in my memory).
-Peff
