We had 'msghdr' and 'mh' in various places. Now 'const struct msghdr msghdr' is
used consistently. With structured init the variable is only used in the call
to sendmsg(), so let's make it a bit more descriptive.
In general we almost never hit those asserts in production code, so users see
them very rarely, if ever. But either way, we just need something that users
can pass to the developers.
We have quite a few of those asserts, and some have fairly nice messages, but
many are like "WTF?" or "???" or "unexpected something". The error that is
printed includes the file location, and function name. In almost all functions
there's at most one assert, so the function name alone is enough to identify
the failure for a developer. So we don't get much extra from the message, and
we might just as well drop them.
Dropping them makes our code a tiny bit smaller, and most importantly, improves
development experience by making it easy to insert such an assert in the code
without thinking how to phrase the argument.
This one is useful for a outputs with a slightly more "positive"
outlook, i.e. where only the checkmarks are shown but the crossmarks are
replaced by spaces.
(Usecase: a larger table with many checkmarks, where the red crossmarks
might just be too much negative noise)
Now that CONST_MAX() is a bit more foregiving, let's stick to the native
return type of sizeof() everywhere, which is size_t, instead of casting
to "unsigned", so that on the common archs we don't unnecessarily lose
the upper 32bits.
This semi-reverts d3e4029457.
Even though it's just a fallback path, let's not be sloppy and allocate in
the crash handler.
> The deadlock happens because systemd crash in malloc() then in signal
> handler, it calls malloc() (close_all_fds()-> opendir()-> __alloc_dir())
> again. malloc() is not a signal-safe function, maybe we should re-think
> the logic here.
Fixes#20266.
Library code should not call freeze(), this is something that should
only be done by "application code", so moving it into shared/ is appropriate.
The fallback to call _exit() is dropped: let's trust that the infinite loop
is infinite.
Currently it's only used in two places in src/shared/, so the function was
already included just once in compiled code. But it seems appropriate to
move it there anyway, because library code should have no need to fork
agents, so it doesn't belong in basic/.
We need a sorted list of fds to skip over when closing. We would allocate a
copy of the passed array to do the sort. But all callers construct a temporary
array to pass to us, so it is pointless to copy it again.
close_all_fds/safe_fork_full/namespace_fork/fork_agent are changed to pass
a non-const int array. I checked all users, and all callers are fine with
the array being sorted.
The function was returning some number (sometimes 1, sometimes the extent
of the range passed over to close_range(), ???). Anyway, all callers only
check for error, so let's return 0 on success.
cunescape() sets output on success, so initialization is not necessary. There
was no comment, but I think they may have been added because the compiler
wasn't convinced that the return value is non-negative on success. It could
have been confused by the int return type on escape*(), which was changed by
the one of preceeding commits to ssize_t, or by the length calculation, so add
an assert to help the compiler.
For some reason coverity thinks the output can be leaked here (CID #1458111).
I don't see how.
asprintf(3) says that the pointer is "undefined" after a failed call.
In the current glibc implementation it is just NULL. In principle the
call could return a valid pointer with bad contents or something.
We have two styles of error handling: in a majority of cases we would
check the return value, but sometimes we used (void) and relied on the
pointer not being set. In practice both styles should be equivalent,
but gcc doesn't like the second one with -Wunused-result. (Though only
sometimes. E.g. on my F34 box I don't get the same warnings as in CI,
even though the compiler version is very similar and the compilation
options are the same…). It's also nice to be consistent in our code base.
So let's always use the first style of error checking.
When those two macros were used together in CONST_MAX(), gcc would complain
about a type mismatch. So either DECIMAL_STR_MAX() should be made size_t like
STRLEN(), or STRLEN() be made unsigned.
Since those macros are only usable on arguments of (small) fixed size, any type
should be fine (even char would work…). For buffer size specifications, both
size_t and unsigned are OK. But unsigned was used for DECIMAL_STR_MAX macros
and FORMAT_foo_MAX macros, making STRLEN the only exception, so let's adjust
STRLEN() to be unsigned too.
Also: I don't think this is currently used anywhere, but if any of those macros
were used as an argument to sprintf, size_t would require a cast. ("%*s"
requires an int/unsigned argument.)
It seems to, but I was a bit incredulous… The comment is adjusted to match
the standard.
The trick with a temporary buffer is neat. I wasn't sure if it is valid, but
the standard says so. The test really tests that we are reading the rules right
and that the compiler doesn't do anythign strange or emit an unexpected
warning.
