bug#8401: removing duplication and improving the readlink code

[Eli Zaretskii]

> Date: Fri, 01 Apr 2011 13:09:22 -0700
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: 8401@debbugs.gnu.org
> 
> On 04/01/2011 12:38 PM, Eli Zaretskii wrote:
> 
> > the functions you introduce use malloc/realloc,
> > which I think will prevent their callers from being safe for
> > asynchronous calls triggered by external events (mouse etc.).
> 
> No, because the functions always use Emacs xmalloc / xrealloc when
> Emacs invokes them.  This is because emacs_readlink tells the
> lower-level primitives to use xmalloc and xrealloc.

You are right, I stand corrected.

However, this just underlines the difficulty of reading the convoluted
arrangement that this patch introduces.  Any such difficulty is an
impediment to maintenance.

> >> That doesn't suffice; the code should not only use ssize_t for
> >> readlink's returned value, but it should also use size_t for the
> >> buffer size
> > 
> > Well, let's use that as well, then.
> 
> What I sense that you're suggesting, is that we take all the fixes in
> the gnulib code, and port them all into the two duplicates of similar
> code that's in Emacs.

No.  Gnulib code that you suggest to add does much more than just
avoid overflow.  See below.

> > Are we really going to consider seriously the case of a link name
> > overflowing a 64-bit ssize_t data type?
> 
> As a general rule, GNU code shouldn't have arbitrary limits, and
> should defend against limits in underyling systems.

Sorry, that doesn't answer the question.

The issue at hand is the price (in complexity and gratuitous added
code) we should pay for a simple overflow test.  I submit that the
price you are asking for is way too high in this case.  Where a single
comparison will suffice to resolve a very remote possibility of
overflow, you suggest to add 2 non-trivial gnulib modules.

> Emacs is not as good as it should be about this, and I'm trying to
> make it better.

Your efforts are appreciated.  But the issue at hand is not whether
Emacs code can and should be made better.  The issue is _how_ to do
that.  I respectfully submit that in this particular case, the
technique selected for improving the code in this particular area is
not the best alternative.

> This is just one example of many, found by static checking, and we
> might as well fix it while we're fixing all the others.

I support fixing possible overflows, just not with sledgehammer style
techniques such as this one.

> > We could refactor the duplicated code into a short function, and use
> > that.
> 
> That's what's being done here.  The function does even more than that,
> though

Exactly!

> it avoids the need to call malloc and free entirely, in the usual
> case.  This is a performance win in the typical case.

There should be a good reason for introducing this additional code; a
remote possibility of an overflow is not such a good reason.  As for
performance win, the callers of this code are not performance
critical, AFAICT.  So this is an example of premature optimization,
IMO.

What I'm suggesting is to solve the overflow, and nothing else.
Again, I can hardly believe that doing so would need more than a
simple comparison, and I agree that a function which allocates a
buffer and calls readlink with that buffer, while avoiding overflow,
could be used in both places, to avoid code replication.