From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1iWiHH-0008TP-6c for mharc-grub-devel@gnu.org; Mon, 18 Nov 2019 09:45:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:59797) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWiHE-0008TF-MS for grub-devel@gnu.org; Mon, 18 Nov 2019 09:45:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iWiHD-0006jF-G5 for grub-devel@gnu.org; Mon, 18 Nov 2019 09:45:16 -0500 Received: from dibed.net-space.pl ([84.10.22.86]:53683) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_3DES_EDE_CBC_SHA1:24) (Exim 4.71) (envelope-from ) id 1iWiHD-0006iZ-4s for grub-devel@gnu.org; Mon, 18 Nov 2019 09:45:15 -0500 Received: from router-fw.i.net-space.pl ([192.168.52.1]:49906 "EHLO tomti.i.net-space.pl") by router-fw-old.i.net-space.pl with ESMTP id S1928876AbfKROpI (ORCPT ); Mon, 18 Nov 2019 15:45:08 +0100 X-Comment: RFC 2476 MSA function at dibed.net-space.pl logged sender identity as: dkiper Date: Mon, 18 Nov 2019 15:45:05 +0100 From: Daniel Kiper To: Patrick Steinhardt Cc: grub-devel@gnu.org, Max Tottenham Subject: Re: [PATCH v3 2/6] json: Implement wrapping interface Message-ID: <20191118144505.wkgvcsexmhoolvn2@tomti.i.net-space.pl> References: <680b5add59a40fbe3dc77f8ef5eb826849fe0d37.1573651222.git.ps@pks.im> <20191114123718.bzps5ucvdqvxivcu@tomti.i.net-space.pl> <20191114131239.GA3036@ncase> <20191115115640.y2ifpcoflhlkdatq@tomti.i.net-space.pl> <20191115123618.GA2733@ncase> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191115123618.GA2733@ncase> User-Agent: NeoMutt/20170113 (1.7.2) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 84.10.22.86 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 14:45:18 -0000 On Fri, Nov 15, 2019 at 01:36:18PM +0100, Patrick Steinhardt wrote: > On Fri, Nov 15, 2019 at 12:56:40PM +0100, Daniel Kiper wrote: > > On Thu, Nov 14, 2019 at 02:12:39PM +0100, Patrick Steinhardt wrote: > > > On Thu, Nov 14, 2019 at 01:37:18PM +0100, Daniel Kiper wrote: > > > > On Wed, Nov 13, 2019 at 02:22:34PM +0100, Patrick Steinhardt wrote: > [snip] > > > > > + } > > > > > + return GRUB_JSON_UNDEFINED; > > > > > +} > > > > > + > > > > > +grub_err_t > > > > > +grub_json_getchild(grub_json_t *out, const grub_json_t *parent, grub_size_t n) > > > > > +{ > > > > > + jsmntok_t *p = &((jsmntok_t *)parent->tokens)[parent->idx]; > > > > > > > > Should not you check parent for NULL first? Same thing for functions > > > > above and below. > > > > > > I'm not too sure about this. Calling with a NULL pointer wouldn't > > > make any sense whatsoever, as you cannot get anything from > > > nothing. It would certainly be the more defensive approach to > > > check for NULL here, and if that's GRUB's coding style then I'm > > > fine with that. If not, I'd say we should just crash with NPE to > > > detect misuse of the API early on. > > > > You are not able to predict all cases. So, I am leaning toward to have > > checks for NULL than crashing GRUB randomly because we have not checked > > for it. > > Fair enough, will do. > > > > > > + grub_size_t offset = 1; > > > > > + > > > > > + if (n >= (unsigned) p->size) > > > > > > > > Should not you cast to grub_size_t? Or should n be type of p->size? > > > > Then you would avoid a cast. > > > > > > I find the choice of `int` quite weird on jsmn's side: there's > > > not a single place where the size field is getting a negative > > > assignment. So if you ask me, `size_t` or even just `unsigned > > > int` would have been the better choice here, which is why I just > > > opted for `grub_size_t` instead in our wrapping interface. > > > > If jsmn is using something "intish" then I think that we should use > > grub_ssize_t. Even if variables of a such type does not get negative > > values right now. > > > > > But you're right, I should cast to `grub_size_t` instead of > > > `unsigned` to make it a bit clearer here. > > > > ...grub_ssize_t then? > > The question is whether we want a near 1:1 mapping here or > something that makes sense (even though making sense is > subjective). I tend towards the latter one of doing the right > thing, mostly because I cannot make sense of a negative value > here. For an array, getting the -1'th child doesn't make sense, > so we'd have to extend the current check like following: > > if (n < 0 || n >= p->size) > return -1; > > If not checking for `n < 0`, we'd iterate children until `n` > overflows and reaches `-1` eventually, which would result in > out-of-bounds reads. So as we currently cannot make any sense of > that value, I tend to just say that `grub_size_t` is the correct > type here even though it mismatches what jsmn is doing. > > That being said, we could certainly define what a negative value > would do, like e.g. `-1` would get the first child from the rear > of the array. But that wouldn't match what jsmn uses `size` for, > either. In general I agree with you. However, if jsmn uses ints for indexes then I would do the same in the GRUB. Otherwise, if jsmn starts using negative values for something we can be badly surprised. And of course you can ask jsmn author why he decided to use ints for indexes. I am also interested in hearing why he did it. Daniel