On 06/23/2017 02:25 PM, Eduardo Habkost wrote: > On Fri, Jun 23, 2017 at 01:45:57PM -0300, Philippe Mathieu-Daudé wrote: >> then abort calling error_setg() > > I don't understand the reasons for this. This commit message says > "what" and "how", but not "why". >
>> - assert(n >= 0 && n < gpio_list->num_in);
>> + assert(n >= 0);
>> + if (n >= gpio_list->num_in) {
>> + error_setg(&error_abort, "Invalid gpio #%d (of %d) for %s",
>> + n, gpio_list->num_in, name ? name : "device");
>
> Why exactly assert() is ok for (n < 0), but not for
> (n >= gpio_list->num_io)?
>
> If you have reasons to believe (n >= gpio_list->num_in) can be triggered
> by user input, then abort() isn't an appropriate way to handle it.
What's more, error_setg(&error_abort) should not be used. Yes, a quick
grep for 'error_setg.*error_abort' shows that we have a couple of bad
examples in the tree that should be patched, but it also finds that
include/qapi/error.h states:
* Please don't error_setg(&error_fatal, ...), use error_report() and
* exit(), because that's more obvious.
* Likewise, don't error_setg(&error_abort, ...), use assert().
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
