-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a bunch of sanity checks #696
base: master
Are you sure you want to change the base?
Conversation
@@ -318,11 +324,17 @@ static void register_string_error_to_buffer(wchar_t **error_buffer, const WCHAR | |||
|
|||
static void register_winapi_error(hid_device *dev, const WCHAR *op) | |||
{ | |||
if (!dev) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
functions like this are used only internally
is it even possible accidentally pass an invalid dev
here? I'm pretty sure if the user passes an invalid or NULL dev
into any of the hid_*
functions - there woud be an undefined behavior (crash) way before we get here in most places...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know, I didn't discriminate when I added these.
In my opinion there shouldn't be any function without sanity checks.
It's not unthinkable that this was possible before I added the other checks after all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion there shouldn't be any function without sanity checks.
That is actually debatable. Most of the checks in this PR are actually do more harm then help.
See my other comment below.
3d3da2e
to
0a8063f
Compare
I think I made all the necessary changes. |
libusb/hid.c
Outdated
@@ -546,8 +558,10 @@ static void fill_device_info_usage(struct hid_device_info *cur_dev, libusb_devic | |||
get_usage(hid_report_descriptor, res, &page, &usage); | |||
} | |||
|
|||
cur_dev->usage_page = page; | |||
cur_dev->usage = usage; | |||
if (cur_dev) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
early return here as well - it doesn't make sense to call this function with NULL cur_dev at all
linux/hid.c
Outdated
if (!dev) | ||
return -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all public API (specifically functions that accept hid_device *
as first argument):
- do not make sens to call with non-valid
dev
- should register an error string in case if anything goes wrong, so the user could use
hid_error
to check what went wrong in case if-1
is returned
I do not support having this checks for all public API functions (marked with HID_API_CALL
/HID_API_EXPORT_CALL
).
We always assume that the dev
should be valid, and that is up to the user to make sure it is. (It is fairly easy to implement in other languages that wrap this library w/o any additional runtime checks by using e.g. class invariant).
The only exception is hid_close
function - similar to free
it should gracefully accept NULL-device.
All other functions the accept hid_device *
as an argument called from public API function should use the same assumption, that the dev
is valid and doesn't require extra checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that most of these functions already have sanity checks including hid_error for other parameters, I kept the checks and added report_global_error calls.
if (!dev) { | ||
register_global_error(L"Device is NULL"); | ||
return -1; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is 100% not a supported scenario and should not be handled explicitly in such way
pieces like this create too much "noise/distraction" in the code that actually makes the overall implementation worse than better
please revert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you'd rather have a hard crash on this than an error that the user can actually catch...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me rephrase that (and that is not only my opinion, but rather shared experience of many developers/projects I've seen):
if I as a user messed up some implementation - I'd rather get a crash immediately (and have a chance to fix it immediatelly), that a silent error (often hidden due to lack of error-handling code) which is missed and then the real problem (the one that affects some business scenarios on your application) hits later when something slightly changed in a different part of my application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove it then. Although I would probably have to double check if there isn't an unguarded call to this.
I can make a separate PR with the obvious changes that don't need discussion (like the malloc ptr checks).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can make a separate PR with the obvious changes that don't need discussion (like the malloc ptr checks).
Great idea, lets start with that.
NOTE: in #698 I've added some of those |
df576f8
to
df2d4d0
Compare
If you tell me what to keep and what to remove I can adjust this soon |
Some of these changes are meant to fix a couple of warnings while reading the code.
I also noticed that there were almost no sanity checks in the code, which may lead to lots of segfaults in user code.