2005-04-18 22:04:43 +02:00
|
|
|
/*
|
|
|
|
* GIT - The information manager from hell
|
|
|
|
*
|
|
|
|
* Copyright (C) Linus Torvalds, 2005
|
|
|
|
*/
|
2005-12-05 20:54:29 +01:00
|
|
|
#include "git-compat-util.h"
|
2011-07-27 23:32:34 +02:00
|
|
|
#include "cache.h"
|
2005-04-18 22:04:43 +02:00
|
|
|
|
2010-03-06 16:40:39 +01:00
|
|
|
void vreportf(const char *prefix, const char *err, va_list params)
|
2005-04-18 22:04:43 +02:00
|
|
|
{
|
2017-01-11 15:02:03 +01:00
|
|
|
char msg[4096];
|
vreport: sanitize ASCII control chars
Our error() and die() calls may report messages with
arbitrary data (e.g., filenames or even data from a remote
server). Let's make it harder to cause confusion with
mischievous filenames. E.g., try:
git rev-parse "$(printf "\rfatal: this argument is too sneaky")" --
or
git rev-parse "$(printf "\x1b[5mblinky\x1b[0m")" --
Let's block all ASCII control characters, with the exception
of TAB and LF. We use both in our own messages (and we are
necessarily sanitizing the complete output of snprintf here,
as we do not have access to the individual varargs). And TAB
and LF are unlikely to cause confusion (you could put
"\nfatal: sneaky\n" in your filename, but it would at least
not _cover up_ the message leading to it, unlike "\r").
We'll replace the characters with a "?", which is similar to
how "ls" behaves. It might be nice to do something less
lossy, like converting them to "\x" hex codes. But replacing
with a single character makes it easy to do in-place and
without worrying about length limitations. This feature
should kick in rarely enough that the "?" marks are almost
never seen.
We'll leave high-bit characters as-is, as they are likely to
be UTF-8 (though there may be some Unicode mischief you
could cause, which may require further patches).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-01-11 15:02:23 +01:00
|
|
|
char *p;
|
vreportf: avoid intermediate buffer
When we call "die(fmt, args...)", we end up in vreportf with
two pieces of information:
1. The prefix "fatal: "
2. The original fmt and va_list of args.
We format item (2) into a temporary buffer, and then fprintf
the prefix and the temporary buffer, along with a newline.
This has the unfortunate side effect of truncating any error
messages that are longer than 4096 bytes.
Instead, let's use separate calls for the prefix and
newline, letting us hand the item (2) directly to vfprintf.
This is essentially undoing d048a96 (print
warning/error/fatal messages in one shot, 2007-11-09), which
tried to have the whole output end up in a single `write`
call.
But we can address this instead by explicitly requesting
line-buffering for the output handle, and by making sure
that the buffer is empty before we start (so that outputting
the prefix does not cause a flush due to hitting the buffer
limit).
We may still break the output into two writes if the content
is larger than our buffer, but there's not much we can do
there; depending on the stdio implementation, that might
have happened even with a single fprintf call.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-11 20:13:59 +02:00
|
|
|
|
2017-01-11 15:02:03 +01:00
|
|
|
vsnprintf(msg, sizeof(msg), err, params);
|
vreport: sanitize ASCII control chars
Our error() and die() calls may report messages with
arbitrary data (e.g., filenames or even data from a remote
server). Let's make it harder to cause confusion with
mischievous filenames. E.g., try:
git rev-parse "$(printf "\rfatal: this argument is too sneaky")" --
or
git rev-parse "$(printf "\x1b[5mblinky\x1b[0m")" --
Let's block all ASCII control characters, with the exception
of TAB and LF. We use both in our own messages (and we are
necessarily sanitizing the complete output of snprintf here,
as we do not have access to the individual varargs). And TAB
and LF are unlikely to cause confusion (you could put
"\nfatal: sneaky\n" in your filename, but it would at least
not _cover up_ the message leading to it, unlike "\r").
We'll replace the characters with a "?", which is similar to
how "ls" behaves. It might be nice to do something less
lossy, like converting them to "\x" hex codes. But replacing
with a single character makes it easy to do in-place and
without worrying about length limitations. This feature
should kick in rarely enough that the "?" marks are almost
never seen.
We'll leave high-bit characters as-is, as they are likely to
be UTF-8 (though there may be some Unicode mischief you
could cause, which may require further patches).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-01-11 15:02:23 +01:00
|
|
|
for (p = msg; *p; p++) {
|
|
|
|
if (iscntrl(*p) && *p != '\t' && *p != '\n')
|
|
|
|
*p = '?';
|
vreportf: avoid intermediate buffer
When we call "die(fmt, args...)", we end up in vreportf with
two pieces of information:
1. The prefix "fatal: "
2. The original fmt and va_list of args.
We format item (2) into a temporary buffer, and then fprintf
the prefix and the temporary buffer, along with a newline.
This has the unfortunate side effect of truncating any error
messages that are longer than 4096 bytes.
Instead, let's use separate calls for the prefix and
newline, letting us hand the item (2) directly to vfprintf.
This is essentially undoing d048a96 (print
warning/error/fatal messages in one shot, 2007-11-09), which
tried to have the whole output end up in a single `write`
call.
But we can address this instead by explicitly requesting
line-buffering for the output handle, and by making sure
that the buffer is empty before we start (so that outputting
the prefix does not cause a flush due to hitting the buffer
limit).
We may still break the output into two writes if the content
is larger than our buffer, but there's not much we can do
there; depending on the stdio implementation, that might
have happened even with a single fprintf call.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-11 20:13:59 +02:00
|
|
|
}
|
2017-05-13 05:48:18 +02:00
|
|
|
fprintf(stderr, "%s%s\n", prefix, msg);
|
2011-07-27 23:32:34 +02:00
|
|
|
}
|
|
|
|
|
2009-11-09 16:05:02 +01:00
|
|
|
static NORETURN void usage_builtin(const char *err, va_list params)
|
2005-04-18 22:04:43 +02:00
|
|
|
{
|
2010-03-06 16:40:39 +01:00
|
|
|
vreportf("usage: ", err, params);
|
2005-10-01 22:24:27 +02:00
|
|
|
exit(129);
|
2005-04-18 22:04:43 +02:00
|
|
|
}
|
|
|
|
|
2006-06-24 07:44:33 +02:00
|
|
|
static NORETURN void die_builtin(const char *err, va_list params)
|
2006-06-24 04:34:38 +02:00
|
|
|
{
|
2010-03-06 16:40:39 +01:00
|
|
|
vreportf("fatal: ", err, params);
|
2006-06-24 04:34:38 +02:00
|
|
|
exit(128);
|
|
|
|
}
|
|
|
|
|
2006-06-24 07:44:33 +02:00
|
|
|
static void error_builtin(const char *err, va_list params)
|
2006-06-24 04:34:38 +02:00
|
|
|
{
|
2010-03-06 16:40:39 +01:00
|
|
|
vreportf("error: ", err, params);
|
2006-06-24 04:34:38 +02:00
|
|
|
}
|
|
|
|
|
2006-12-22 01:48:32 +01:00
|
|
|
static void warn_builtin(const char *warn, va_list params)
|
|
|
|
{
|
2010-03-06 16:40:39 +01:00
|
|
|
vreportf("warning: ", warn, params);
|
2006-12-22 01:48:32 +01:00
|
|
|
}
|
2006-06-24 04:34:38 +02:00
|
|
|
|
2013-04-16 21:46:22 +02:00
|
|
|
static int die_is_recursing_builtin(void)
|
|
|
|
{
|
|
|
|
static int dying;
|
die(): stop hiding errors due to overzealous recursion guard
Change the recursion limit for the default die routine from a *very*
low 1 to 1024. This ensures that infinite recursions are broken, but
doesn't lose the meaningful error messages under threaded execution
where threads concurrently start to die.
The intent of the existing code, as explained in commit
cd163d4b4e ("usage.c: detect recursion in die routines and bail out
immediately", 2012-11-14), is to break infinite recursion in cases
where the die routine itself calls die(), and would thus infinitely
recurse.
However, doing that very aggressively by immediately printing out
"recursion detected in die handler" if we've already called die() once
means that threaded invocations of git can end up only printing out
the "recursion detected" error, while hiding the meaningful error.
An example of this is running a threaded grep which dies on execution
against pretty much any repo, git.git will do:
git grep -P --threads=8 '(*LIMIT_MATCH=1)-?-?-?---$'
With the current version of git this will print some combination of
multiple PCRE failures that caused the abort and multiple "recursion
detected", some invocations will print out multiple "recursion
detected" errors with no PCRE error at all!
Before this change, running the above grep command 1000 times against
git.git[1] and taking the top 20 results will on my system yield the
following distribution of actual errors ("E") and recursion
errors ("R"):
322 E R
306 E
116 E R R
65 R R
54 R E
49 E E
44 R
15 E R R R
9 R R R
7 R E R
5 R R E
3 E R R R R
2 E E R
1 R R R R
1 R R R E
1 R E R R
The exact results are obviously random and system-dependent, but this
shows the race condition in this code. Some small part of the time
we're about to print out the actual error ("E") but another thread's
recursion error beats us to it, and sometimes we print out nothing but
the recursion error.
With this change we get, now with "W" to mean the new warning being
emitted indicating that we've called die() many times:
502 E
160 E W E
120 E E
53 E W
35 E W E E
34 W E E
29 W E E E
16 E E W
16 E E E
11 W E E E E
7 E E W E
4 W E
3 W W E E
2 E W E E E
1 W W E
1 W E W E
1 E W W E E E
1 E W W E E
1 E W W E
1 E W E E W
Which still sucks a bit, due to a still present race-condition in this
code we're sometimes going to print out several errors still, or
several warnings, or two duplicate errors without the warning.
But we will never have a case where we completely hide the actual
error as we do now.
Now, git-grep could make use of the pluggable error facility added in
commit c19a490e37 ("usage: allow pluggable die-recursion checks",
2013-04-16). There's other threaded code that calls set_die_routine()
or set_die_is_recursing_routine().
But this is about fixing the general die() behavior with threading
when we don't have such a custom routine yet. Right now the common
case is not an infinite recursion in the handler, but us losing error
messages by default because we're overly paranoid about our recursion
check.
So let's just set the recursion limit to a number higher than the
number of threads we're ever likely to spawn. Now we won't lose
errors, and if we have a recursing die handler we'll still die within
microseconds.
There are race conditions in this code itself, in particular the
"dying" variable is not thread mutexed, so we e.g. won't be dying at
exactly 1024, or for that matter even be able to accurately test
"dying == 2", see the cases where we print out more than one "W"
above.
But that doesn't really matter, for the recursion guard we just need
to die "soon", not at exactly 1024 calls, and for printing the correct
error and only one warning most of the time in the face of threaded
death this is good enough and a net improvement on the current code.
1. for i in {1..1000}; do git grep -P --threads=8 '(*LIMIT_MATCH=1)-?-?-?---$' 2>&1|perl -pe 's/^fatal: r.*/R/; s/^fatal: p.*/E/; s/^warning.*/W/' | tr '\n' ' '; echo; done | sort | uniq -c | sort -nr | head -n 20
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-06-21 22:47:42 +02:00
|
|
|
/*
|
|
|
|
* Just an arbitrary number X where "a < x < b" where "a" is
|
|
|
|
* "maximum number of pthreads we'll ever plausibly spawn" and
|
|
|
|
* "b" is "something less than Inf", since the point is to
|
|
|
|
* prevent infinite recursion.
|
|
|
|
*/
|
|
|
|
static const int recursion_limit = 1024;
|
|
|
|
|
|
|
|
dying++;
|
|
|
|
if (dying > recursion_limit) {
|
|
|
|
return 1;
|
|
|
|
} else if (dying == 2) {
|
|
|
|
warning("die() called many times. Recursion error or racy threaded death!");
|
|
|
|
return 0;
|
|
|
|
} else {
|
|
|
|
return 0;
|
|
|
|
}
|
2013-04-16 21:46:22 +02:00
|
|
|
}
|
|
|
|
|
2006-06-24 04:34:38 +02:00
|
|
|
/* If we are in a dlopen()ed .so write to a global variable would segfault
|
|
|
|
* (ugh), so keep things static. */
|
2009-11-09 16:05:02 +01:00
|
|
|
static NORETURN_PTR void (*usage_routine)(const char *err, va_list params) = usage_builtin;
|
2009-09-30 20:05:50 +02:00
|
|
|
static NORETURN_PTR void (*die_routine)(const char *err, va_list params) = die_builtin;
|
2006-06-24 04:34:38 +02:00
|
|
|
static void (*error_routine)(const char *err, va_list params) = error_builtin;
|
2006-12-22 01:48:32 +01:00
|
|
|
static void (*warn_routine)(const char *err, va_list params) = warn_builtin;
|
2013-04-16 21:46:22 +02:00
|
|
|
static int (*die_is_recursing)(void) = die_is_recursing_builtin;
|
2006-06-24 04:34:38 +02:00
|
|
|
|
2009-09-30 20:05:50 +02:00
|
|
|
void set_die_routine(NORETURN_PTR void (*routine)(const char *err, va_list params))
|
2006-06-24 04:34:38 +02:00
|
|
|
{
|
|
|
|
die_routine = routine;
|
|
|
|
}
|
|
|
|
|
2011-07-27 23:32:34 +02:00
|
|
|
void set_error_routine(void (*routine)(const char *err, va_list params))
|
|
|
|
{
|
|
|
|
error_routine = routine;
|
|
|
|
}
|
|
|
|
|
2016-09-04 22:18:28 +02:00
|
|
|
void (*get_error_routine(void))(const char *err, va_list params)
|
|
|
|
{
|
|
|
|
return error_routine;
|
|
|
|
}
|
|
|
|
|
2016-09-04 22:18:27 +02:00
|
|
|
void set_warn_routine(void (*routine)(const char *warn, va_list params))
|
|
|
|
{
|
|
|
|
warn_routine = routine;
|
|
|
|
}
|
|
|
|
|
2016-09-04 22:18:28 +02:00
|
|
|
void (*get_warn_routine(void))(const char *warn, va_list params)
|
|
|
|
{
|
|
|
|
return warn_routine;
|
|
|
|
}
|
|
|
|
|
2013-04-16 21:46:22 +02:00
|
|
|
void set_die_is_recursing_routine(int (*routine)(void))
|
|
|
|
{
|
|
|
|
die_is_recursing = routine;
|
|
|
|
}
|
|
|
|
|
Fix sparse warnings
Fix warnings from 'make check'.
- These files don't include 'builtin.h' causing sparse to complain that
cmd_* isn't declared:
builtin/clone.c:364, builtin/fetch-pack.c:797,
builtin/fmt-merge-msg.c:34, builtin/hash-object.c:78,
builtin/merge-index.c:69, builtin/merge-recursive.c:22
builtin/merge-tree.c:341, builtin/mktag.c:156, builtin/notes.c:426
builtin/notes.c:822, builtin/pack-redundant.c:596,
builtin/pack-refs.c:10, builtin/patch-id.c:60, builtin/patch-id.c:149,
builtin/remote.c:1512, builtin/remote-ext.c:240,
builtin/remote-fd.c:53, builtin/reset.c:236, builtin/send-pack.c:384,
builtin/unpack-file.c:25, builtin/var.c:75
- These files have symbols which should be marked static since they're
only file scope:
submodule.c:12, diff.c:631, replace_object.c:92, submodule.c:13,
submodule.c:14, trace.c:78, transport.c:195, transport-helper.c:79,
unpack-trees.c:19, url.c:3, url.c:18, url.c:104, url.c:117, url.c:123,
url.c:129, url.c:136, thread-utils.c:21, thread-utils.c:48
- These files redeclare symbols to be different types:
builtin/index-pack.c:210, parse-options.c:564, parse-options.c:571,
usage.c:49, usage.c:58, usage.c:63, usage.c:72
- These files use a literal integer 0 when they really should use a NULL
pointer:
daemon.c:663, fast-import.c:2942, imap-send.c:1072, notes-merge.c:362
While we're in the area, clean up some unused #includes in builtin files
(mostly exec_cmd.h).
Signed-off-by: Stephen Boyd <bebarino@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-03-22 08:51:05 +01:00
|
|
|
void NORETURN usagef(const char *err, ...)
|
2009-11-09 16:05:02 +01:00
|
|
|
{
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
va_start(params, err);
|
|
|
|
usage_routine(err, params);
|
|
|
|
va_end(params);
|
|
|
|
}
|
|
|
|
|
Fix sparse warnings
Fix warnings from 'make check'.
- These files don't include 'builtin.h' causing sparse to complain that
cmd_* isn't declared:
builtin/clone.c:364, builtin/fetch-pack.c:797,
builtin/fmt-merge-msg.c:34, builtin/hash-object.c:78,
builtin/merge-index.c:69, builtin/merge-recursive.c:22
builtin/merge-tree.c:341, builtin/mktag.c:156, builtin/notes.c:426
builtin/notes.c:822, builtin/pack-redundant.c:596,
builtin/pack-refs.c:10, builtin/patch-id.c:60, builtin/patch-id.c:149,
builtin/remote.c:1512, builtin/remote-ext.c:240,
builtin/remote-fd.c:53, builtin/reset.c:236, builtin/send-pack.c:384,
builtin/unpack-file.c:25, builtin/var.c:75
- These files have symbols which should be marked static since they're
only file scope:
submodule.c:12, diff.c:631, replace_object.c:92, submodule.c:13,
submodule.c:14, trace.c:78, transport.c:195, transport-helper.c:79,
unpack-trees.c:19, url.c:3, url.c:18, url.c:104, url.c:117, url.c:123,
url.c:129, url.c:136, thread-utils.c:21, thread-utils.c:48
- These files redeclare symbols to be different types:
builtin/index-pack.c:210, parse-options.c:564, parse-options.c:571,
usage.c:49, usage.c:58, usage.c:63, usage.c:72
- These files use a literal integer 0 when they really should use a NULL
pointer:
daemon.c:663, fast-import.c:2942, imap-send.c:1072, notes-merge.c:362
While we're in the area, clean up some unused #includes in builtin files
(mostly exec_cmd.h).
Signed-off-by: Stephen Boyd <bebarino@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-03-22 08:51:05 +01:00
|
|
|
void NORETURN usage(const char *err)
|
2006-06-24 04:34:38 +02:00
|
|
|
{
|
2009-11-09 16:05:02 +01:00
|
|
|
usagef("%s", err);
|
2006-06-24 04:34:38 +02:00
|
|
|
}
|
|
|
|
|
Fix sparse warnings
Fix warnings from 'make check'.
- These files don't include 'builtin.h' causing sparse to complain that
cmd_* isn't declared:
builtin/clone.c:364, builtin/fetch-pack.c:797,
builtin/fmt-merge-msg.c:34, builtin/hash-object.c:78,
builtin/merge-index.c:69, builtin/merge-recursive.c:22
builtin/merge-tree.c:341, builtin/mktag.c:156, builtin/notes.c:426
builtin/notes.c:822, builtin/pack-redundant.c:596,
builtin/pack-refs.c:10, builtin/patch-id.c:60, builtin/patch-id.c:149,
builtin/remote.c:1512, builtin/remote-ext.c:240,
builtin/remote-fd.c:53, builtin/reset.c:236, builtin/send-pack.c:384,
builtin/unpack-file.c:25, builtin/var.c:75
- These files have symbols which should be marked static since they're
only file scope:
submodule.c:12, diff.c:631, replace_object.c:92, submodule.c:13,
submodule.c:14, trace.c:78, transport.c:195, transport-helper.c:79,
unpack-trees.c:19, url.c:3, url.c:18, url.c:104, url.c:117, url.c:123,
url.c:129, url.c:136, thread-utils.c:21, thread-utils.c:48
- These files redeclare symbols to be different types:
builtin/index-pack.c:210, parse-options.c:564, parse-options.c:571,
usage.c:49, usage.c:58, usage.c:63, usage.c:72
- These files use a literal integer 0 when they really should use a NULL
pointer:
daemon.c:663, fast-import.c:2942, imap-send.c:1072, notes-merge.c:362
While we're in the area, clean up some unused #includes in builtin files
(mostly exec_cmd.h).
Signed-off-by: Stephen Boyd <bebarino@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-03-22 08:51:05 +01:00
|
|
|
void NORETURN die(const char *err, ...)
|
2005-04-18 22:04:43 +02:00
|
|
|
{
|
|
|
|
va_list params;
|
|
|
|
|
2013-04-16 21:46:22 +02:00
|
|
|
if (die_is_recursing()) {
|
2012-11-15 02:45:52 +01:00
|
|
|
fputs("fatal: recursion detected in die handler\n", stderr);
|
|
|
|
exit(128);
|
|
|
|
}
|
|
|
|
|
2005-04-18 22:04:43 +02:00
|
|
|
va_start(params, err);
|
2006-06-24 04:34:38 +02:00
|
|
|
die_routine(err, params);
|
2005-04-18 22:04:43 +02:00
|
|
|
va_end(params);
|
|
|
|
}
|
|
|
|
|
2016-05-08 11:47:21 +02:00
|
|
|
static const char *fmt_with_err(char *buf, int n, const char *fmt)
|
2009-06-27 17:58:44 +02:00
|
|
|
{
|
2009-06-27 17:58:45 +02:00
|
|
|
char str_error[256], *err;
|
|
|
|
int i, j;
|
|
|
|
|
|
|
|
err = strerror(errno);
|
|
|
|
for (i = j = 0; err[i] && j < sizeof(str_error) - 1; ) {
|
|
|
|
if ((str_error[j++] = err[i++]) != '%')
|
|
|
|
continue;
|
|
|
|
if (j < sizeof(str_error) - 1) {
|
|
|
|
str_error[j++] = '%';
|
|
|
|
} else {
|
|
|
|
/* No room to double the '%', so we overwrite it with
|
|
|
|
* '\0' below */
|
|
|
|
j--;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
str_error[j] = 0;
|
2016-05-08 11:47:21 +02:00
|
|
|
snprintf(buf, n, "%s: %s", fmt, str_error);
|
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
void NORETURN die_errno(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
char buf[1024];
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
if (die_is_recursing()) {
|
|
|
|
fputs("fatal: recursion detected in die_errno handler\n",
|
|
|
|
stderr);
|
|
|
|
exit(128);
|
|
|
|
}
|
2009-06-27 17:58:44 +02:00
|
|
|
|
|
|
|
va_start(params, fmt);
|
2016-05-08 11:47:21 +02:00
|
|
|
die_routine(fmt_with_err(buf, sizeof(buf), fmt), params);
|
2009-06-27 17:58:44 +02:00
|
|
|
va_end(params);
|
|
|
|
}
|
|
|
|
|
2016-08-31 05:41:22 +02:00
|
|
|
#undef error_errno
|
2016-05-08 11:47:22 +02:00
|
|
|
int error_errno(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
char buf[1024];
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
va_start(params, fmt);
|
|
|
|
error_routine(fmt_with_err(buf, sizeof(buf), fmt), params);
|
|
|
|
va_end(params);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
make error()'s constant return value more visible
When git is compiled with "gcc -Wuninitialized -O3", some
inlined calls provide an additional opportunity for the
compiler to do static analysis on variable initialization.
For example, with two functions like this:
int get_foo(int *foo)
{
if (something_that_might_fail() < 0)
return error("unable to get foo");
*foo = 0;
return 0;
}
void some_fun(void)
{
int foo;
if (get_foo(&foo) < 0)
return -1;
printf("foo is %d\n", foo);
}
If get_foo() is not inlined, then when compiling some_fun,
gcc sees only that a pointer to the local variable is
passed, and must assume that it is an out parameter that
is initialized after get_foo returns.
However, when get_foo() is inlined, the compiler may look at
all of the code together and see that some code paths in
get_foo() do not initialize the variable. As a result, it
prints a warning. But what the compiler can't see is that
error() always returns -1, and therefore we know that either
we return early from some_fun, or foo ends up initialized,
and the code is safe. The warning is a false positive.
If we can make the compiler aware that error() will always
return -1, it can do a better job of analysis. The simplest
method would be to inline the error() function. However,
this doesn't work, because gcc will not inline a variadc
function. We can work around this by defining a macro. This
relies on two gcc extensions:
1. Variadic macros (these are present in C99, but we do
not rely on that).
2. Gcc treats the "##" paste operator specially between a
comma and __VA_ARGS__, which lets our variadic macro
work even if no format parameters are passed to
error().
Since we are using these extra features, we hide the macro
behind an #ifdef. This is OK, though, because our goal was
just to help gcc.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-12-15 18:37:36 +01:00
|
|
|
#undef error
|
2005-04-18 22:04:43 +02:00
|
|
|
int error(const char *err, ...)
|
|
|
|
{
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
va_start(params, err);
|
2006-06-24 04:34:38 +02:00
|
|
|
error_routine(err, params);
|
2005-04-18 22:04:43 +02:00
|
|
|
va_end(params);
|
|
|
|
return -1;
|
|
|
|
}
|
2006-12-22 01:48:32 +01:00
|
|
|
|
2016-05-08 11:47:22 +02:00
|
|
|
void warning_errno(const char *warn, ...)
|
|
|
|
{
|
|
|
|
char buf[1024];
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
va_start(params, warn);
|
|
|
|
warn_routine(fmt_with_err(buf, sizeof(buf), warn), params);
|
|
|
|
va_end(params);
|
|
|
|
}
|
|
|
|
|
2007-03-31 01:07:05 +02:00
|
|
|
void warning(const char *warn, ...)
|
2006-12-22 01:48:32 +01:00
|
|
|
{
|
|
|
|
va_list params;
|
|
|
|
|
|
|
|
va_start(params, warn);
|
|
|
|
warn_routine(warn, params);
|
|
|
|
va_end(params);
|
|
|
|
}
|
usage.c: add BUG() function
There's a convention in Git's code base to write assertions
as:
if (...some_bad_thing...)
die("BUG: the terrible thing happened");
with the idea that users should never see a "BUG:" message
(but if they, it at least gives a clue what happened). We
use die() here because it's convenient, but there are a few
draw-backs:
1. Without parsing the messages, it's hard for callers to
distinguish BUG assertions from regular errors.
For instance, it would be nice if the test suite could
check that we don't hit any assertions, but
test_must_fail will pass BUG deaths as OK.
2. It would be useful to add more debugging features to
BUG assertions, like file/line numbers or dumping core.
3. The die() handler can be replaced, and might not
actually exit the whole program (e.g., it may just
pthread_exit()). This is convenient for normal errors,
but for an assertion failure (which is supposed to
never happen), we're probably better off taking down
the whole process as quickly and cleanly as possible.
We could address these by checking in die() whether the
error message starts with "BUG", and behaving appropriately.
But there's little advantage at that point to sharing the
die() code, and only downsides (e.g., we can't change the
BUG() interface independently). Moreover, converting all of
the existing BUG calls reveals that the test suite does
indeed trigger a few of them.
Instead, this patch introduces a new BUG() function, which
prints an error before dying via SIGABRT. This gives us test
suite checking and core dumps. The function is actually a
macro (when supported) so that we can show the file/line
number.
We can convert die("BUG") invocations to BUG() in further
patches, dealing with any test fallouts individually.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-13 05:28:50 +02:00
|
|
|
|
|
|
|
static NORETURN void BUG_vfl(const char *file, int line, const char *fmt, va_list params)
|
|
|
|
{
|
|
|
|
char prefix[256];
|
|
|
|
|
|
|
|
/* truncation via snprintf is OK here */
|
|
|
|
if (file)
|
|
|
|
snprintf(prefix, sizeof(prefix), "BUG: %s:%d: ", file, line);
|
|
|
|
else
|
|
|
|
snprintf(prefix, sizeof(prefix), "BUG: ");
|
|
|
|
|
|
|
|
vreportf(prefix, fmt, params);
|
|
|
|
abort();
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef HAVE_VARIADIC_MACROS
|
2017-05-22 00:25:39 +02:00
|
|
|
NORETURN void BUG_fl(const char *file, int line, const char *fmt, ...)
|
usage.c: add BUG() function
There's a convention in Git's code base to write assertions
as:
if (...some_bad_thing...)
die("BUG: the terrible thing happened");
with the idea that users should never see a "BUG:" message
(but if they, it at least gives a clue what happened). We
use die() here because it's convenient, but there are a few
draw-backs:
1. Without parsing the messages, it's hard for callers to
distinguish BUG assertions from regular errors.
For instance, it would be nice if the test suite could
check that we don't hit any assertions, but
test_must_fail will pass BUG deaths as OK.
2. It would be useful to add more debugging features to
BUG assertions, like file/line numbers or dumping core.
3. The die() handler can be replaced, and might not
actually exit the whole program (e.g., it may just
pthread_exit()). This is convenient for normal errors,
but for an assertion failure (which is supposed to
never happen), we're probably better off taking down
the whole process as quickly and cleanly as possible.
We could address these by checking in die() whether the
error message starts with "BUG", and behaving appropriately.
But there's little advantage at that point to sharing the
die() code, and only downsides (e.g., we can't change the
BUG() interface independently). Moreover, converting all of
the existing BUG calls reveals that the test suite does
indeed trigger a few of them.
Instead, this patch introduces a new BUG() function, which
prints an error before dying via SIGABRT. This gives us test
suite checking and core dumps. The function is actually a
macro (when supported) so that we can show the file/line
number.
We can convert die("BUG") invocations to BUG() in further
patches, dealing with any test fallouts individually.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-13 05:28:50 +02:00
|
|
|
{
|
|
|
|
va_list ap;
|
|
|
|
va_start(ap, fmt);
|
|
|
|
BUG_vfl(file, line, fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
}
|
|
|
|
#else
|
2017-05-22 00:25:39 +02:00
|
|
|
NORETURN void BUG(const char *fmt, ...)
|
usage.c: add BUG() function
There's a convention in Git's code base to write assertions
as:
if (...some_bad_thing...)
die("BUG: the terrible thing happened");
with the idea that users should never see a "BUG:" message
(but if they, it at least gives a clue what happened). We
use die() here because it's convenient, but there are a few
draw-backs:
1. Without parsing the messages, it's hard for callers to
distinguish BUG assertions from regular errors.
For instance, it would be nice if the test suite could
check that we don't hit any assertions, but
test_must_fail will pass BUG deaths as OK.
2. It would be useful to add more debugging features to
BUG assertions, like file/line numbers or dumping core.
3. The die() handler can be replaced, and might not
actually exit the whole program (e.g., it may just
pthread_exit()). This is convenient for normal errors,
but for an assertion failure (which is supposed to
never happen), we're probably better off taking down
the whole process as quickly and cleanly as possible.
We could address these by checking in die() whether the
error message starts with "BUG", and behaving appropriately.
But there's little advantage at that point to sharing the
die() code, and only downsides (e.g., we can't change the
BUG() interface independently). Moreover, converting all of
the existing BUG calls reveals that the test suite does
indeed trigger a few of them.
Instead, this patch introduces a new BUG() function, which
prints an error before dying via SIGABRT. This gives us test
suite checking and core dumps. The function is actually a
macro (when supported) so that we can show the file/line
number.
We can convert die("BUG") invocations to BUG() in further
patches, dealing with any test fallouts individually.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-13 05:28:50 +02:00
|
|
|
{
|
|
|
|
va_list ap;
|
|
|
|
va_start(ap, fmt);
|
|
|
|
BUG_vfl(NULL, 0, fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
}
|
|
|
|
#endif
|