On 2023-01-13 14:59, Bruno Haible wrote:
Replacing a function that starts with an entry check — which is a good
practice [1]
It's a good practice in some contexts, bad in others.
In this particular case, on practical Gnulib targets the input should be
checked anyway, both statically by the compiler at the call point and
dynamically by the MMU.
There is a downside of the extra runtime check, in that if static
checking is disabled (a mistake if you ask me, but many people do it),
then the calling code won't immediately crash like it should. Instead,
the function simply sets errno and returns, and the calling code might
go on to do the wrong thing because there's a lot of sloppy calling code
that either doesn't check errno or that has never been tested to do the
right thing when the function fails.
So my guess is that for this particular case on practical hosts, the
additional runtime check is more likely to introduce a security bug,
than to prevent one. Of course this is just a guess. But that's why I
wrote the patch the way I did.
