| Message ID | 20250314210909.3776678-4-gitster@pobox.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | -Wunreachable-code | expand |
Sorry, one new file was left out of the patch. Here is a quick fix
(I am not rerolling the earlier 2 steps).
---- >8 ----
Our hope is that the number of code paths that falsely trigger
warnings with the -Wunreachable-code compilation option are small,
and they can be worked around case-by-case basis, like we just did
in the previous commit. If we need such a workaround a bit more
often, however, we may benefit from a more generic and descriptive
facility that helps document the cases we need such workarounds.
Side note: if we need the workaround all over the place, it
simply means -Wunreachable-code is not a good tool for us to
save engineering effort to catch mistakes. We are still
exploring if it helps us, so let's assume that it is not the
case.
Introduce NOT_A_CONST() macro, with which, the developer can tell
the compiler:
Do not optimize this expression out, because, despite whatever
you are told by the system headers, this expression should *not*
be treated as a constant.
and use it as a replacement for the workaround we used that was
somewhat specific to the sigfillset case. If the compiler already
knows that the call to sigfillset() cannot fail on a particular
platform it is compiling for and declares that the if() condition
would not hold, it is plausible that the next version of the
compiler may learn that sigfillset() that never fails would not
touch errno and decide that in this sequence:
errno = 0;
sigfillset(&all)
if (errno)
die_errno("sigfillset");
the if() statement will never trigger. Marking that the value
returned by sigfillset() cannot be a constant would document our
intention better and would not break with such a new version of
compiler that is even more "clever". With the marco, the above
sequence can be rewritten:
if (NOT_A_CONST(sigfillset(&all)))
die_errno("sigfillset");
which looks almost like other innocuous annotations we have,
e.g. UNUSED.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
Makefile | 1 +
fbtcdnki.c | 2 ++
git-compat-util.h | 9 +++++++++
meson.build | 1 +
run-command.c | 12 +++++-------
5 files changed, 18 insertions(+), 7 deletions(-)
create mode 100644 fbtcdnki.c
diff --git a/Makefile b/Makefile
index 97e8385b66..2158bf6916 100644
--- a/Makefile
+++ b/Makefile
@@ -1018,6 +1018,7 @@ LIB_OBJS += ewah/ewah_bitmap.o
LIB_OBJS += ewah/ewah_io.o
LIB_OBJS += ewah/ewah_rlw.o
LIB_OBJS += exec-cmd.o
+LIB_OBJS += fbtcdnki.o
LIB_OBJS += fetch-negotiator.o
LIB_OBJS += fetch-pack.o
LIB_OBJS += fmt-merge-msg.o
diff --git a/fbtcdnki.c b/fbtcdnki.c
new file mode 100644
index 0000000000..1da3ffc2f5
--- /dev/null
+++ b/fbtcdnki.c
@@ -0,0 +1,2 @@
+#include <git-compat-util.h>
+int false_but_the_compiler_does_not_know_it_;
diff --git a/git-compat-util.h b/git-compat-util.h
index e283c46c6f..63a3ef6b70 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -1593,4 +1593,13 @@ static inline void *container_of_or_null_offset(void *ptr, size_t offset)
((uintptr_t)&(ptr)->member - (uintptr_t)(ptr))
#endif /* !__GNUC__ */
+/*
+ * Prevent an overly clever compiler from optimizing an expression
+ * out, triggering a false positive when building with the
+ * -Wunreachable-code option. false_but_the_compiler_does_not_know_it_
+ * is defined in a compilation unit separate from where the macro is
+ * used, initialized to 0, and never modified.
+ */
+#define NOT_A_CONST(expr) ((expr) || false_but_the_compiler_does_not_know_it_)
+extern int false_but_the_compiler_does_not_know_it_;
#endif
diff --git a/meson.build b/meson.build
index f60f3f49e4..ce642dcf65 100644
--- a/meson.build
+++ b/meson.build
@@ -282,6 +282,7 @@ libgit_sources = [
'ewah/ewah_io.c',
'ewah/ewah_rlw.c',
'exec-cmd.c',
+ 'fbtcdnki.c',
'fetch-negotiator.c',
'fetch-pack.c',
'fmt-merge-msg.c',
diff --git a/run-command.c b/run-command.c
index d527c46175..535c73a059 100644
--- a/run-command.c
+++ b/run-command.c
@@ -516,14 +516,12 @@ static void atfork_prepare(struct atfork_state *as)
sigset_t all;
/*
- * Do not use the return value of sigfillset(). It is transparently 0
- * on some platforms, meaning a clever compiler may complain that
- * the conditional body is dead code. Instead, check for error via
- * errno, which outsmarts the compiler.
+ * POSIX says sitfillset() can fail, but an overly clever
+ * compiler can see through the header files and decide
+ * it cannot fail on a particular platform it is compiling for,
+ * triggering -Wunreachable-code false positive.
*/
- errno = 0;
- sigfillset(&all);
- if (errno)
+ if (NOT_A_CONST(sigfillset(&all)))
die_errno("sigfillset");
#ifdef NO_PTHREADS
if (sigprocmask(SIG_SETMASK, &all, &as->old))
On Fri, Mar 14, 2025 at 03:29:54PM -0700, Junio C Hamano wrote: > ---- >8 ---- > Our hope is that the number of code paths that falsely trigger > warnings with the -Wunreachable-code compilation option are small, > and they can be worked around case-by-case basis, like we just did > in the previous commit. If we need such a workaround a bit more > often, however, we may benefit from a more generic and descriptive > facility that helps document the cases we need such workarounds. > > Side note: if we need the workaround all over the place, it > simply means -Wunreachable-code is not a good tool for us to > save engineering effort to catch mistakes. We are still > exploring if it helps us, so let's assume that it is not the > case. Yup, I very much agree with this, especially the side note. (I'd probably have just dropped patch 2 and gone straight here, but I don't mind leaving it in as documentation of that other direction). > Introduce NOT_A_CONST() macro, with which, the developer can tell > the compiler: > > Do not optimize this expression out, because, despite whatever > you are told by the system headers, this expression should *not* > be treated as a constant. This is definitely better than the other name. I might spell it out as "NOT_A_CONSTANT", just because "const" to me is a variable annotation (for something that _could_ change, but we are not allowed to). Whereas "constant" is something defined to a single value in the program. Maybe splitting hairs, but as somebody who read NOT_A_CONST(foo) I might expect it to be casting away "const" or something. > --- a/Makefile > +++ b/Makefile > @@ -1018,6 +1018,7 @@ LIB_OBJS += ewah/ewah_bitmap.o > LIB_OBJS += ewah/ewah_io.o > LIB_OBJS += ewah/ewah_rlw.o > LIB_OBJS += exec-cmd.o > +LIB_OBJS += fbtcdnki.o That name is a mouthful, for sure. The long name is really an implementation detail. Would calling it not-constant.c or something be more descriptive? (Yes, the macro itself does not appear in the file, but hopefully it links the two semantically in the reader's head). I almost want to suggest a name like "compiler-tricks.c", but part of the point of this particular trick is that there's nothing else in its translation unit. So later when somebody adds another trick, it cannot use this macro. ;) > +/* > + * Prevent an overly clever compiler from optimizing an expression > + * out, triggering a false positive when building with the > + * -Wunreachable-code option. false_but_the_compiler_does_not_know_it_ > + * is defined in a compilation unit separate from where the macro is > + * used, initialized to 0, and never modified. > + */ > +#define NOT_A_CONST(expr) ((expr) || false_but_the_compiler_does_not_know_it_) > +extern int false_but_the_compiler_does_not_know_it_; Good explanation. I do wonder if we'd eventually see a compiler that reaches across translation units to optimize, but I'd hope we probably bought ourselves a decade or two. > diff --git a/run-command.c b/run-command.c > index d527c46175..535c73a059 100644 > --- a/run-command.c > +++ b/run-command.c > @@ -516,14 +516,12 @@ static void atfork_prepare(struct atfork_state *as) > sigset_t all; > > /* > - * Do not use the return value of sigfillset(). It is transparently 0 > - * on some platforms, meaning a clever compiler may complain that > - * the conditional body is dead code. Instead, check for error via > - * errno, which outsmarts the compiler. > + * POSIX says sitfillset() can fail, but an overly clever > + * compiler can see through the header files and decide > + * it cannot fail on a particular platform it is compiling for, > + * triggering -Wunreachable-code false positive. > */ > - errno = 0; > - sigfillset(&all); > - if (errno) > + if (NOT_A_CONST(sigfillset(&all))) > die_errno("sigfillset"); And this looks much nicer and more descriptive. You could probably even get away without the comment, but I certainly do not mind it. s/sitfillset/sigfillset/ in your comment text, though. -Peff
diff --git a/Makefile b/Makefile index 97e8385b66..2158bf6916 100644 --- a/Makefile +++ b/Makefile @@ -1018,6 +1018,7 @@ LIB_OBJS += ewah/ewah_bitmap.o LIB_OBJS += ewah/ewah_io.o LIB_OBJS += ewah/ewah_rlw.o LIB_OBJS += exec-cmd.o +LIB_OBJS += fbtcdnki.o LIB_OBJS += fetch-negotiator.o LIB_OBJS += fetch-pack.o LIB_OBJS += fmt-merge-msg.o diff --git a/git-compat-util.h b/git-compat-util.h index e283c46c6f..63a3ef6b70 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -1593,4 +1593,13 @@ static inline void *container_of_or_null_offset(void *ptr, size_t offset) ((uintptr_t)&(ptr)->member - (uintptr_t)(ptr)) #endif /* !__GNUC__ */ +/* + * Prevent an overly clever compiler from optimizing an expression + * out, triggering a false positive when building with the + * -Wunreachable-code option. false_but_the_compiler_does_not_know_it_ + * is defined in a compilation unit separate from where the macro is + * used, initialized to 0, and never modified. + */ +#define NOT_A_CONST(expr) ((expr) || false_but_the_compiler_does_not_know_it_) +extern int false_but_the_compiler_does_not_know_it_; #endif diff --git a/meson.build b/meson.build index f60f3f49e4..ce642dcf65 100644 --- a/meson.build +++ b/meson.build @@ -282,6 +282,7 @@ libgit_sources = [ 'ewah/ewah_io.c', 'ewah/ewah_rlw.c', 'exec-cmd.c', + 'fbtcdnki.c', 'fetch-negotiator.c', 'fetch-pack.c', 'fmt-merge-msg.c', diff --git a/run-command.c b/run-command.c index d527c46175..535c73a059 100644 --- a/run-command.c +++ b/run-command.c @@ -516,14 +516,12 @@ static void atfork_prepare(struct atfork_state *as) sigset_t all; /* - * Do not use the return value of sigfillset(). It is transparently 0 - * on some platforms, meaning a clever compiler may complain that - * the conditional body is dead code. Instead, check for error via - * errno, which outsmarts the compiler. + * POSIX says sitfillset() can fail, but an overly clever + * compiler can see through the header files and decide + * it cannot fail on a particular platform it is compiling for, + * triggering -Wunreachable-code false positive. */ - errno = 0; - sigfillset(&all); - if (errno) + if (NOT_A_CONST(sigfillset(&all))) die_errno("sigfillset"); #ifdef NO_PTHREADS if (sigprocmask(SIG_SETMASK, &all, &as->old))
Our hope is that the number of code paths that falsely trigger warnings with the -Wunreachable-code compilation option are small, and they can be worked around case-by-case basis, like we just did in the previous commit. If we need such a workaround a bit more often, however, we may benefit from a more generic and descriptive facility that helps document the cases we need such workarounds. Side note: if we need the workaround all over the place, it simply means -Wunreachable-code is not a good tool for us to save engineering effort to catch mistakes. We are still exploring if it helps us, so let's assume that it is not the case. Introduce NOT_A_CONST() macro, with which, the developer can tell the compiler: Do not optimize this expression out, because, despite whatever you are told by the system headers, this expression should *not* be treated as a constant. and use it as a replacement for the workaround we used that was somewhat specific to the sigfillset case. If the compiler already knows that the call to sigfillset() cannot fail on a particular platform it is compiling for and declares that the if() condition would not hold, it is plausible that the next version of the compiler may learn that sigfillset() that never fails would not touch errno and decide that in this sequence: errno = 0; sigfillset(&all) if (errno) die_errno("sigfillset"); the if() statement will never trigger. Marking that the value returned by sigfillset() cannot be a constant would document our intention better and would not break with such a new version of compiler that is even more "clever". With the marco, the above sequence can be rewritten: if (NOT_A_CONST(sigfillset(&all))) die_errno("sigfillset"); which looks almost like other innocuous annotations we have, e.g. UNUSED. Signed-off-by: Junio C Hamano <gitster@pobox.com> --- Makefile | 1 + git-compat-util.h | 9 +++++++++ meson.build | 1 + run-command.c | 12 +++++------- 4 files changed, 16 insertions(+), 7 deletions(-)