Add value-range checks for user-definable macros at compile-time #886
Conversation
Tests passed ✓, Code: 16838 B (+0.0%), Stack: 1448 B (+0.0%), Structs: 800 B (+0.0%)
|
lfs.c
Outdated
| #endif | ||
|
|
||
| #if (LFS_FILE_MAX > 2147483647) | ||
| #warning "LFS_FILE_MAX>2147483647; lfs_file_seek, lfs_file_size, and lfs_file_tell will not function properly." |
There was a problem hiding this comment.
This is only valid in C23 and compiler-dependent before that.
Also, given that some people opt to use -Werror for compilation, this unintentionally breaks their builds.
There was a problem hiding this comment.
I was a little hesitant on this as well; not sure how frequently users change LFS_FILE_MAX, would be open to alternative proposals (or even just fully removing this warning).
There was a problem hiding this comment.
Curiously gcc does not warn about this, usually gcc -Werror -std=c99 -Wall -Wextra -pedantic warns about c99 compat issues. Otherwise CI would have caught this.
https://github.com/littlefs-project/littlefs/actions/runs/6685719140/job/18164313418?pr=886#step:7:50
I wonder why this is...
But @BenBE is right, there's already enough requests for C89 support, we need to stick to C99.
Alternative proposal: we can just remove the
It's a desperate attempt to stretch out what 32-bits can do, but I already have some plans to eventually add a 64-bit mode, and that will probably be a better way to support larger file sizes when needed.
Worst case, if someone does depend on this we can always revert.
There was a problem hiding this comment.
I'm in favor of removing >2**31 support for the reasons you outlined.
It's actually not referenced in |
Rechecked the |
|
Point taken SPEC.md could document these limits better, but I don't think lfs.h/lfs.c should reference SPEC.md. They should both contain copies of all relevant documentation so a reader doesn't need to jump between documents. If lfs.h/lfs.c and SPEC.md fall out of sync you have bigger problems. I'm curious, is there an issue with putting these in lfs.h? Then they could be next to the relevant comments. If not (multiple include warning spam?), then maybe just a comment saying something like "Must fit in 10-bits with 1023 reserved, i.e. <= 1022." is sufficient. |
lfs.c
Outdated
| #endif | ||
|
|
||
| #if (LFS_FILE_MAX > 2147483647) | ||
| #warning "LFS_FILE_MAX>2147483647; lfs_file_seek, lfs_file_size, and lfs_file_tell will not function properly." |
There was a problem hiding this comment.
nit: Must fit in 80-column width:
#warning "LFS_FILE_MAX>2147483647; lfs_file_seek, lfs_file_size, and \
lfs_file_tell will not function properly." I should really get around to adding a lint for this...
geky
added
enhancement
needs minor version
I wanted to keep the header file clean and focus on the library API. I didn't want to crowd the header file with sanity checks, but I'm open to either option. |
Tests passed ✓, Code: 16838 B (+0.0%), Stack: 1448 B (+0.0%), Structs: 800 B (+0.0%)
|
That makes sense, I think you're right these should probably stay in the .c file. Controversial thought: What if these were runtime asserts and live in lfs_init? That way they live with all of the other configuration-level asserts. And while they do have a cost at runtime... in theory runtime asserts have no cost when it matters. Unrelated, how badly do you want this in the next minor release? I think think the next minor release can be cut pretty much whenever. |
You mean just from an organizational standpoint? Seems fine by me. This wouldn't even make it to the compiled code since these all get handled by the preprocessor, so there wouldn't be any runtime impact.
I don't have any strong opinions, would just like these asserts to make it into the codebase at some point so other people avoid making stupid mistakes 😄 |
lfs_init handles the checks/asserts of most configuration, moving these checks near lfs_init attempts to keep all of these checks nearby each other. Also updated the comments to avoid somtimes-ambiguous range notation. And removed negative bounds checks. Negative bounds should be obviously incorrect, and 0 is _technically_ not illegal for any define (though admittedly unlikely to be correct).
I think realistically no one is using this. It's already only partially supported and untested. Worst case, if someone does depend on this we can always revert.
geky
added
next minor
and removed
needs minor version
I was thinking more make these actual runtime asserts, but I've compromised by just moving them near lfs_init. Compile-configuration needs a rework anyways (#491 is related). I've updated this PR with what was discussed in the PR. Feel free to let me know if anything looks wrong. I think this can make it into the next minor release. One maybe controversial change: I removed the check against <=0:
Anyways, let me know if anything looks concerning, otherwise I'm happy to merge this PR into the next minor release. |
Tests passed ✓, Code: 16828 B (+0.0%), Stack: 1448 B (+0.0%), Structs: 800 B (+0.0%)
|
|
Looks good to me, I think your reasoning is sound. The upper limits are much more easily broken by accident, and are the more important checks. |
|
This is on master now, thanks for the PR! |
Added some sanity check for the user-providable
#definemacro values.This was brought up due to a bug introduced by yours truly 💅 jrast/littlefs-python#61