n-api: fix warning about size_t compare with int #15508
Conversation
nodejs-github-bot
added
c++
src/node_api.cc
Outdated
| @@ -920,13 +920,13 @@ NAPI_NO_RETURN void napi_fatal_error(const char* location, | |||
| size_t message_len) { | |||
| char* location_string = const_cast<char*>(location); | |||
| char* message_string = const_cast<char*>(message); | |||
| if (location_len != -1) { | |||
| if (static_cast<int>(location_len) != -1) { | |||
There was a problem hiding this comment.
size_t might allow for larger values than signed ints and we're wrongly casting 2^n-1 to -1 (where n is how big size_t is). If we want to allow -1 here, why don't we change the parameter type? Or could we use 0 instead of -1 to signal that we don't want to set the message_string?
src/node_api.cc
Outdated
| @@ -920,13 +920,13 @@ NAPI_NO_RETURN void napi_fatal_error(const char* location, | |||
| size_t message_len) { | |||
| char* location_string = const_cast<char*>(location); | |||
| char* message_string = const_cast<char*>(message); | |||
| if (location_len != -1) { | |||
| if (static_cast<int>(location_len) != -1) { | |||
| location_string = reinterpret_cast<char*>( | |||
| malloc(location_len * sizeof(char) + 1)); | |||
There was a problem hiding this comment.
Aside: sizeof(char) is 1 by definition and reinterpret_cast is overkill here, static_cast would have sufficed.
What's more, I don't understand why this code makes copies. This function does not return. It seems like completely unneeded complexity.
There was a problem hiding this comment.
The reason for doing copy here is to account for strings that are not null terminated.
There was a problem hiding this comment.
Okay, but the other two points still stand. As well, you don't handle nullptr return values. If you use node::Malloc(), that's taken care of.
Or use std::string, that will also stop Coverity from complaining about memory leaks.
|
@sampsongao can you look at the types that are used by the similar calls in V8 that already had the -1 as the option to indicate null terminated ? We were already passing through -1 to those calls and maybe we need to use the same type here. |
|
Talking with Sampson, in many cases we just pass the -1 on to an v8 call so I don't think we'd want to switch to using 0 instead as then we'd need code to covert. It may make sense to just change the type to int. I think we discussed size_t versus int before but we may not have factored in that -1 is not valid for size_t |
It's valid (it wraps around to
What about other engines? Abstracting away such details is the point of n-api, isn't it? |
|
For some APIs that take a string length, for example Should we consider |
|
What's wrong with passing the size explicitly? The only reason I can think of is programmer ergonomics but passing |
|
We'd discussed the options in the past and agreed to support the -1 shortcut in the way that V8 does. The latest PR was just to make it consistent across the board. I think we should fix up the type problem and then discuss if we should remove the shortcut completely in a later PR. |
That would be fine with me also. In most cases the C++ wrapper would make that automatic anyway. But if we do that we should probably still detect when -1 is passed in, because the compiler usually won't complain and string APIs in many libraries do support it, so people may assume it works with N-API. Or we could document that |
|
SIZE_MAX would be fine with me as long as that works in the cases were we pass it on to V8 and its sounds like that will be the case. |
|
We discussed in N-API meeting today. Here is what we'd like to do
|
|
Lets update this PR to do 1-3 and I will submit a separate PR to update the doc. |
|
CI run: https://ci.nodejs.org/job/node-test-pull-request/10192/ @bnoordhuis, @fhinkel can you take a another look, we'd like this to make it into 8.6 which is going out next tuesday. |
src/node_api.cc
Outdated
| @@ -120,13 +120,14 @@ struct napi_env__ { | |||
| #define CHECK_NEW_FROM_UTF8_LEN(env, result, str, len) \ | |||
| do { \ | |||
| auto str_maybe = v8::String::NewFromUtf8( \ | |||
| (env)->isolate, (str), v8::NewStringType::kInternalized, (len)); \ | |||
| (env)->isolate, (str), v8::NewStringType::kInternalized, \ | |||
| static_cast<int>(len)); \ | |||
There was a problem hiding this comment.
It would be nice to have a static_assert(static_cast<int>(NAPI_AUTO_LENGTH) == -1) somewhere
There was a problem hiding this comment.
@addaleax that is a good idea.
Do you think it would make sense to add it just after
namespace {
namespace v8impl {
in node_api.cc
along with a comment indicating the v8 implementation of n-api depends on it being true ?
There was a problem hiding this comment.
@mhdawson I like to put that near where it’s actually used (i.e. around here) but feel free to put it wherever you like :)
There was a problem hiding this comment.
I was thinking you had somewhere else in mind, I'm good with it going into the macro itself
|
centos failures are #15505 |
|
Windows fanned failure was unrelated created - #15558 |
|
Arm failure was an infra issue, not test related. So overall CI looks good. |
src/node_api.cc
Outdated
| std::string location_string; | ||
| std::string message_string; | ||
|
|
||
| if (static_cast<int>(location_len) != NAPI_AUTO_LENGTH) { |
There was a problem hiding this comment.
I don't think that size_t always fits into an int. Why do we need to cast here? (Feel free to land once this is addressed if I don't get around to change my review to approve in time.)
There was a problem hiding this comment.
I agree it should not be needed in this check. In places where it is passed on to v8 then it is needed.
There was a problem hiding this comment.
@mhdawson No, the issue isn’t that it’s in the wrong place – it’s that a downcast is a real bug here, because it truncates location_len
There was a problem hiding this comment.
@addaleax, to clarify we know that size_t does not fit into an int, so where its going to be passed to v8 a cast is required to avoid warnings. In this case we should just be comparing NAPI_AUTO_LENGTH directly against location_len.
There was a problem hiding this comment.
@mhdawson Yeah, but we can’t just downcast without any checks in this case. Imagine a platform that has 32-bit int, and 64-bit size_t. When an addon tries to create a N-API string that contains (2^32 + 1) characters – not knowing that that doesn’t work, because, how would it tell? – N-API would currently silently truncate that size argument to 1, and happily create a one-character string. I think that qualifies as a bug.
There was a problem hiding this comment.
I think I'm still missing something here, sorry. If we change to be:
if (location_len != NAPI_AUTO_LENGTH)
is it that there is a problem later on ?
Make checks directly against NAPI_AUTO_LENGTH Add assert Remove one check in unrelated napi function that was causing a warning and is not needed
|
Pushed change to address comments (I think) |
|
New ci run to make sure assert validates we have the right behavior on all platforms: https://ci.nodejs.org/job/node-test-pull-request/10206/ |
|
Latest CI run was good, only failure is known pre-existing problem on centos |
| auto str_maybe = v8::String::NewFromUtf8( \ | ||
| (env)->isolate, (str), v8::NewStringType::kInternalized, (len)); \ | ||
| (env)->isolate, (str), v8::NewStringType::kInternalized, \ | ||
| static_cast<int>(len)); \ |
There was a problem hiding this comment.
@mhdawson The issue remains that this static_cast is invalid if len > INT_MAX && len != NAPI_AUTO_LENGTH, there needs to code that checks for that condition and errors out if it is met … if necessary, I guess that can be done in a subsequent PR, but it’s a bug that ought to be fixed.
There was a problem hiding this comment.
@addaleax thanks for the clarification, will look at that. Since we want to have the breaking changes in before 8.6 and we are almost out of time I may do it in a follow up PR, but I'll see on Monday.
There was a problem hiding this comment.
I think this check may do the trick
RETURN_STATUS_IF_FALSE((env), len <= INT_MAX, (napi_invalid_arg));
There was a problem hiding this comment.
I do think you need to check for NAPI_AUTO_LENGTH because that value is usually larger than INT_MAX :) But yes, something like that sounds good
There was a problem hiding this comment.
@addaleax agreed I also need to check for NAPI_AUTO_LENGTH. I'm going to land this PR to make sure we don't fix the Tuesday cutoff, and I'll submit a separate one to fix the bug caused by the cast on Monday.
There was a problem hiding this comment.
To be clear, the current check does not have well-defined behavior. Compiler A might do the right thing, compiler B might do something completely different. IOW, this is not release-ready code.
PR-URL: #15508 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
Landed as a406a32 Will leave open until I open follow on PR on monday. |
|
PR to add check on length #15611 |
PR-URL: #15508 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
PR-URL: nodejs/node#15508 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
PR-URL: nodejs#15508 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Backport-PR-URL: #19447 PR-URL: #15508 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)