From owner-freebsd-pkg@FreeBSD.ORG Sat Nov 30 10:02:36 2013 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0FE5EC2F for ; Sat, 30 Nov 2013 10:02:36 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8B7461705 for ; Sat, 30 Nov 2013 10:02:35 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id rAUA2Tx7051426 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 30 Nov 2013 10:02:29 GMT (envelope-from m.seaman@infracaninophile.co.uk) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk rAUA2Tx7051426 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1385805749; bh=5kJPGHKENA8vt7MloY7WKy1zDRcD7UkT8dPyScPeu9k=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Sat,=2030=20Nov=202013=2010:02:20=20+0000|From:=20Matthew =20Seaman=20|To:=20freebsd-pkg@fr eebsd.org|Subject:=20Re:=20[dev]=20about=20unchecked=20functions=2 0calls|References:=20<529909B9.2050007@kaworu.ch>|In-Reply-To:=20< 529909B9.2050007@kaworu.ch>; b=ypVEOXuHBBi7EBw+HH5K6LW02V02K3WY3Q4pSexeRERtiX8DKaIenoMRNzxJUds+O 0rN4FwJAGkXXk2+yaNSOkKBBWWAeZiqiaL/7IHKqiij/ISr0SSAL56h3OPuqekes0o UtlItKIwVjA65ivXgi7oViO1FTcdvEqI0buoQ09s= Message-ID: <5299B7AC.1000603@infracaninophile.co.uk> Date: Sat, 30 Nov 2013 10:02:20 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: freebsd-pkg@freebsd.org Subject: Re: [dev] about unchecked functions calls References: <529909B9.2050007@kaworu.ch> In-Reply-To: <529909B9.2050007@kaworu.ch> X-Enigmail-Version: 1.6 OpenPGP: id=E7F39EBF Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JFja7vFwEsiMqbQnGtVDBPWSbrvq7dmd7" X-Virus-Scanned: clamav-milter 0.98 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Nov 2013 10:02:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JFja7vFwEsiMqbQnGtVDBPWSbrvq7dmd7 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 29/11/2013 21:40, Alex wrote: > About solutions, the alternatives I have in mind are: >=20 > 1. assume that ENOMEM is fatal. We just abort() as soon as we see it. I= n > that case we should have some kind of xmalloc(3) & Co. and use them > consistently accross all the project. On the pros side it's very easy t= o > do, on the cons it could leave the system in a unclean state (half done= > install / uninstall, corrupted pkg database etc.). abort(3) is almost certainly the wrong answer. If malloc(3) et al fail, then, yes pkg(8) should terminate itself. But it should rollback any pending database transactions and perform other cleanup and generally take care to leave the system in a consistent state. The other critical condition we have to cope with is running out of space on the filesystem. Again the ideal is to leave the system in a consistent state -- no half installed packages and preferably without having deleted a package prior to upgrading it, but failing to install the newer version. (I don't think we can make an absolute guarrantee that won't happen in the general case, but we can make pkg(8) resistant to it (well, we already do), and we could certainly facilitate using features like filesystem snapshots where those are available.) Note 'consistent' here means pretty much treating each package atomically; so we always complete the operation on one package or roll back to the previous one. That's not necessarily going to leave the system in a state with all package dependencies properly fulfilled, but it will mean its in a state where further pkg(8) calls can sort things ou= t. This is by no means an academic consideration: we want to support embedded systems and those may well be quite memory constrained, so handling all that as gracefully as possible is going to be important. > 2. assume that pkg should fail gracefully when ENOMEM occurs. In genera= l > it is considered bad design for a library to abort() (in any case) and > so if part of pkg can be considered as a library (like libpkg suggest b= y > its name) then maybe this is the Right Thing=99 to do. Basically, it me= ans > that functions considered part of the library would return an error cod= e > (EPKG_FATAL) while other "higher part" would gracefully cleanup and exi= t > (using for example err(3)). On the pros side we would have a more robus= t > application, a more reliable library and a cleaner codebase. On the con= s > side it is hard to achieve and time consuming. Yes, indeed. libpkg functions should either succeed or indicate failure by returning an error code. It's up to the calling program to handle the consequences of the failure. > steps could (and should) also be applied for other other calls like > strlcpy(3). However, in order to succeed cooperation is required at Huh? What's wrong with strlcpy(3)? strlcpy is a *good thing* and should be used in preference to strcpy(3) or strncpy(3). Which we generally do already. Similarly snprintf(3) rather than sprintf(3) and similarly bounded functions which won't overrun memory buffers. Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matthew@infracaninophile.co.uk --JFja7vFwEsiMqbQnGtVDBPWSbrvq7dmd7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJSmbe0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATzP8P/2MIfz0+gGN0wX62dj9zNtWv jkqBCWZ+dpaVqy/6RUHQdTVIe4xaidCaBxDS6dx8fXHFzyIS78D03+XRGZm3s/25 BQTqaMi2WdVjddKdYqyAc1omS+VlnhS8x6lVsXpErStO9sxkFNptrNzM0hOxDNAX +9KVhJDfYRqvmvuQxEmVVsjFr2BwOdDa1h8dsUYV97o/QmzIjnfaw99TA/baDuSG H/04GCuEXvcrtf1ZdMguM6Ji8pDVf++EISM/f63d6+m8al2ATkB7giwYhJk6/9E7 onVg4wKv9buJs0jL1spFzqT2nUBmGONkOmycY1qIHE5UNPSABUZZ6L7jLzNSe5l8 Xk+eqsZetRBLstFvJzTJnMlzGnOayNE0kSJD2IYOvCUeYHpE7rU0FcY+0wEwEp9k g4hISd9ncVwTZMkfpcG3RMvihpLuDDZzIBCKbNt/D7XODt/KvJDmMIT4WpHRY+iX x0RoFnw0aqS63u+zzZ6FPV2hnIONsQvQ6/YOhGxDkTjGk8EwcpYbh4PEKuJKU06F zLrq0oRv6I6fQ5Jjc0WgQDNd35pORpwc4k8J/YzkV2zAfXNz0sIATplsV9TOCdFD 9HhCG2zKP1DSC92mh+31kZNLyFUM/MFDuXwJNV174fjcOR2ftjQmkx54Bruxuarn 322zY73mddNXpT8dy9qm =tvkm -----END PGP SIGNATURE----- --JFja7vFwEsiMqbQnGtVDBPWSbrvq7dmd7--