bug#8401: removing duplication and improving the readlink code

[Paul Eggert <eggert@cs.ucla.edu>]

On 04/01/2011 12:38 PM, Eli Zaretskii wrote:

> the functions you introduce use malloc/realloc,
> which I think will prevent their callers from being safe for
> asynchronous calls triggered by external events (mouse etc.).

No, because the functions always use Emacs xmalloc / xrealloc when
Emacs invokes them.  This is because emacs_readlink tells the
lower-level primitives to use xmalloc and xrealloc.

>> That doesn't suffice; the code should not only use ssize_t for
>> readlink's returned value, but it should also use size_t for the
>> buffer size
> 
> Well, let's use that as well, then.

What I sense that you're suggesting, is that we take all the fixes in
the gnulib code, and port them all into the two duplicates of similar
code that's in Emacs.  That would be an error-prone process and would
leave us with three copies of the code to maintain.  It's better to
have just one copy of the code.

> Are we really going to consider seriously the case of a link name
> overflowing a 64-bit ssize_t data type?

As a general rule, GNU code shouldn't have arbitrary limits, and
should defend against limits in underyling systems.  Emacs is not
as good as it should be about this, and I'm trying to make it better.
This is just one example of many, found by static checking, and we
might as well fix it while we're fixing all the others.

> But why do we need to introduce the allocator and careadlinkat
> modules, and all the nested function calls needed for them, just to
> protect a simple code fragment from overflowing?

It's more reliable to put the overflow checks in one place, where they
can be carefully checked, than to duplicate the code in multiple
places where it's easy for programmers to get it wrong.

> We could refactor the duplicated code into a short function, and use
> that.

That's what's being done here.  The function does even more than that,
though, as it avoids the need to call malloc and free entirely, in the
usual case.  This is a performance win in the typical case.

> please restructure the code so that neither allocator.h nor
> careadlinkat are not used on platforms whose readlink is an
> always-fail stub.

That's not possible to do, unless we add more "#ifdef DOS_NT"s to the
mainstream code.  But that would be undesirable.  The mainstream code
should be written for the usual case, and platforms that lack the
necessary primitives should supply their own stubs (which may always
fail, but that's OK).  That is standard porting technology, and it's
an improvement over sprinking #ifdefs throughout the mainstream code.