@@ -5123,8 +5123,8 @@ int apply_parse_options(int argc, const char **argv,
/* Think twice before adding "--nul" synonym to this */
OPT_SET_INT('z', NULL, &state->line_termination,
N_("paths are separated with NUL character"), '\0'),
- OPT_INTEGER('C', NULL, &state->p_context,
- N_("ensure at least <n> lines of context match")),
+ OPT_UNSIGNED('C', NULL, &state->p_context,
+ N_("ensure at least <n> lines of context match")),
OPT_CALLBACK(0, "whitespace", state, N_("action"),
N_("detect new or modified lines that have whitespace errors"),
apply_option_parse_whitespace),
@@ -123,8 +123,8 @@ int cmd_backfill(int argc, const char **argv, const char *prefix, struct reposit
.sparse = 0,
};
struct option options[] = {
- OPT_INTEGER(0, "min-batch-size", &ctx.min_batch_size,
- N_("Minimum number of objects to request at a time")),
+ OPT_UNSIGNED(0, "min-batch-size", &ctx.min_batch_size,
+ N_("Minimum number of objects to request at a time")),
OPT_BOOL(0, "sparse", &ctx.sparse,
N_("Restrict the missing objects to the current sparse-checkout")),
OPT_END(),
@@ -31,7 +31,7 @@ int cmd_column(int argc,
struct option options[] = {
OPT_STRING(0, "command", &real_command, N_("name"), N_("lookup config vars")),
OPT_COLUMN(0, "mode", &colopts, N_("layout to use")),
- OPT_INTEGER(0, "raw-mode", &colopts, N_("layout to use")),
+ OPT_UNSIGNED(0, "raw-mode", &colopts, N_("layout to use")),
OPT_INTEGER(0, "width", &copts.width, N_("maximum width")),
OPT_STRING(0, "indent", &copts.indent, N_("string"), N_("padding space on left border")),
OPT_STRING(0, "nl", &copts.nl, N_("string"), N_("padding space on right border")),
@@ -983,9 +983,9 @@ int cmd_grep(int argc,
OPT_CALLBACK('C', "context", &opt, N_("n"),
N_("show <n> context lines before and after matches"),
context_callback),
- OPT_INTEGER('B', "before-context", &opt.pre_context,
+ OPT_UNSIGNED('B', "before-context", &opt.pre_context,
N_("show <n> context lines before matches")),
- OPT_INTEGER('A', "after-context", &opt.post_context,
+ OPT_UNSIGNED('A', "after-context", &opt.post_context,
N_("show <n> context lines after matches")),
OPT_INTEGER(0, "threads", &num_threads,
N_("use <n> worker threads")),
@@ -110,12 +110,19 @@ DISABLE_WARNING(-Wsign-compare)
# define BARF_UNLESS_COPYABLE(dst, src) \
BUILD_ASSERT_OR_ZERO(__builtin_types_compatible_p(__typeof__(*(dst)), \
__typeof__(*(src))))
+
+# define BARF_UNLESS_SIGNED(var) BUILD_ASSERT_OR_ZERO(((__typeof__(var)) -1) < 0)
+# define BARF_UNLESS_UNSIGNED(var) BUILD_ASSERT_OR_ZERO(((__typeof__(var)) -1) > 0)
#else
# define BARF_UNLESS_AN_ARRAY(arr) 0
# define BARF_UNLESS_COPYABLE(dst, src) \
BUILD_ASSERT_OR_ZERO(0 ? ((*(dst) = *(src)), 0) : \
sizeof(*(dst)) == sizeof(*(src)))
+
+# define BARF_UNLESS_SIGNED(var) 0
+# define BARF_UNLESS_UNSIGNED(var) 0
#endif
+
/*
* ARRAY_SIZE - get the number of elements in a visible array
* @x: the array whose size you want.
@@ -219,7 +219,7 @@ struct option {
.type = OPTION_INTEGER, \
.short_name = (s), \
.long_name = (l), \
- .value = (v), \
+ .value = (v) + BARF_UNLESS_SIGNED(*(v)), \
.precision = sizeof(*v), \
.argh = N_("n"), \
.help = (h), \
@@ -229,7 +229,7 @@ struct option {
.type = OPTION_UNSIGNED, \
.short_name = (s), \
.long_name = (l), \
- .value = (v), \
+ .value = (v) + BARF_UNLESS_UNSIGNED(*(v)), \
.precision = sizeof(*v), \
.argh = N_("n"), \
.help = (h), \
@@ -292,7 +292,7 @@ struct option {
.type = OPTION_MAGNITUDE, \
.short_name = (s), \
.long_name = (l), \
- .value = (v), \
+ .value = (v) + BARF_UNLESS_UNSIGNED(*(v)), \
.precision = sizeof(*v), \
.argh = N_("n"), \
.help = (h), \
It was reported that "t5620-backfill.sh" fails on s390x and sparc64 in a test that exercises the "--min-batch-size" command line option. The symptom was that the option didn't seem to have an effect: we didn't fetch objects with a batch size of 20, but instead fetched all objects at once. As it turns out, the root cause is that `--min-batch-size` uses `OPT_INTEGER()` to parse the command line option. While this macro expects the caller to pass a pointer to an integer, we instead pass a pointer to a `size_t`. This coincidentally works on most platforms, but it breaks apart on the mentioned platforms because they are big endian. This issue isn't specific to git-backfill(1): there are a couple of other places where we have the same type confusion going on. This indicates that the issue really is the interface that the parse-options subsystem provides -- it is simply too easy to get this wrong as there isn't any kind of compiler warning, and things just work on the most common systems. Address the systemic issue by introducing two new build asserts `BARF_UNLESS_SIGNED()` and `BARF_UNLESS_UNSIGNED()`. As the names already hint at, those macros will cause a compiler error when passed a value that is not signed or unsigned, respectively. Adapt `OPT_INTEGER()`, `OPT_UNSIGNED()` as well as `OPT_MAGNITUDE()` to use those asserts. This uncovers a small set of sites where we indeed have the same bug as in git-backfill(1). Adapt all of them to use the correct option. Reported-by: Todd Zullinger <tmz@pobox.com> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Helped-by: SZEDER Gábor <szeder.dev@gmail.com> Helped-by: Jeff King <peff@peff.net> Signed-off-by: Patrick Steinhardt <ps@pks.im> --- apply.c | 4 ++-- builtin/backfill.c | 4 ++-- builtin/column.c | 2 +- builtin/grep.c | 4 ++-- git-compat-util.h | 7 +++++++ parse-options.h | 6 +++--- 6 files changed, 17 insertions(+), 10 deletions(-)