On Fri, Mar 21, 2025 at 05:08:06PM -0400, Karthik Nayak wrote:
> > @@ -192,7 +188,7 @@ static int stream_blob_to_pack(struct bulk_checkin_packfile *state,
> > offset += rsize;
> > if (*already_hashed_to < offset) {
> > size_t hsize = offset - *already_hashed_to;
> > - if (rsize < hsize)
> > + if ((size_t)rsize < hsize)
>
> Something I found peculiar here is that `rsize` is of type ssize_t'.
> But it only seems to store a positive value.
I assumed it was ssize_t because it would hold the result of a read
call. But it doesn't! We put that into the "read_result" variable.
So it could just be a size_t in the first place. And indeed it is better
as one, because we assign from "size", which is itself a size_t. We do
not yet warn about type mismatches outside of comparisons, but really it
is equally bad.
However, if you switch it, then we get a different -Wsign-compare
problem: we compare "rsize" and "read_result". So you still have to
cast, but at a different spot.
If we are doing this a lot (and really this conversion is necessary any
time you look at the outcome of a read call), I do still wonder if we
should have a helper like:
static inline int safe_scast(ssize_t ret, size_t *out)
{
if (ret < 0)
return 0;
/* cast is safe because of check above */
*out = (size_t)ret;
return 1;
}
(yes, I know the name is lousy). That would allow something like this:
diff --git a/bulk-checkin.c b/bulk-checkin.c
index f6f79cb9e2..fbffc7c8d6 100644
--- a/bulk-checkin.c
+++ b/bulk-checkin.c
@@ -178,9 +178,10 @@ static int stream_blob_to_pack(struct bulk_checkin_packfile *state,
while (status != Z_STREAM_END) {
if (size && !s.avail_in) {
- ssize_t rsize = size < sizeof(ibuf) ? size : sizeof(ibuf);
- ssize_t read_result = read_in_full(fd, ibuf, rsize);
- if (read_result < 0)
+ size_t rsize = size < sizeof(ibuf) ? size : sizeof(ibuf);
+ size_t read_result;
+
+ if (!safe_scast(read_in_full(fd, ibuf, rsize), &read_result))
die_errno("failed to read from '%s'", path);
if (read_result != rsize)
die("failed to read %d bytes from '%s'",
Though it does kind of obscure the call to read_in_full(). You can use
two variables, like:
ssize_t read_result;
size_t bytes_read;
read_result = read_in_full(fd, ibuf, rsize);
if (!safe_scast(read_result, &bytes_read))
die_errno(...);
which is a bit more verbose but perhaps clearer.
This reminded me a bit of the issues we had with write_in_full() before,
where:
if (write_in_full(fd, buf, len) < len)
behaves unexpectedly because of integer conversions. There the solution
was to never check against "len", because write_in_full() either writes
everything or returns an error. So:
if (write_in_full(fd, buf, len) < 0)
is correct and sufficient.
But alas, we can't do the same here, because reading returns three
cases: error, a full read, or a partial read (maybe even EOF!). So we
really do need to record and compare the return value between what we
asked for and what we got.
-Peff
