Re: [PATCH 1/2] introduce "banned function" list
From: Eric Sunshine <hidden>
Date: 2018-07-19 22:00:01
On Thu, Jul 19, 2018 at 5:27 PM Jeff King [off-list ref] wrote:
On Thu, Jul 19, 2018 at 05:11:15PM -0400, Eric Sunshine wrote:quoted
On Thu, Jul 19, 2018 at 4:39 PM Jeff King [off-list ref] wrote:quoted
+ * This header lists functions that have been banned from our code base, + * because they're too easy to misuse (and even if used correctly, + * complicate audits). Including this header turns them into compile-time + * errors.When the above talks about "including this header", the implication is that it must be included _after_ the system header(s) which declare the banned functions. I wonder if that requirement should be stated here explicitly.Hmm, does it need to be? I had originally intended it to be included before, actually, though in the end I put it later. I guess it would yield declarations like strcpy_is_banned(), which would cause _different_ errors (probably link-time ones).
Yes, that's what I meant. You'd only get link-time errors if banned.h was included before the system headers (assuming I'm thinking about this correctly).
quoted
(Probably not worth a re-roll.)Yeah, I doubt it matters much either way, since the inclusion is done automatically in git-compat-util.h.
Exactly.
I had also originally imagined this to be triggered via DEVELOPER=1, with something like "-include banned.h" in CFLAGS. But I think it probably is appropriate for everybody to run it, since it shouldn't cause any false positives or other compilation issues.
Agreed.
The one I brainstormed (but forgot to mention) is that it might be possible for a platform to have strcpy as a macro already? In which case we'd need to #undef it or risk a compilation error (even if the macro isn't actually used).
I have some recollection (perhaps long outdated or just wrong) of Microsoft headers spewing deprecation warnings about "unsafe" functions. I don't know whether they did that by covering functions with macros or by decorating the function with a deprecation attribute or by some other mechanism, but such concern seems well-founded. #undef'ing them might indeed be a very good preventative tactic.