review request (M) 6888954 - arg formatting for assert

John Coomes John.Coomes at sun.com
Mon Oct 12 16:25:00 PDT 2009 

Tom Rodriguez (Thomas.Rodriguez at Sun.COM) wrote:
> Can you explain the lifetime of the buffer returned by the const char*  
> conversion?  Offhand it doesn't seem safe to me.

The temporary object created by err_msg() is destroyed at the end of
evaluation of the full expression that contains it.  In this case, the
containing full expression is the call to report_vm_error(), so the
buffer is live until report_vm_error() completes.

> I'm don't think fatal(err_msg(a, b)) is an improvement over fatal1(a,  
> b) but then I would have been fine with assert1 and friends. ...

I'd rather not count arguments.  If it were just fatal1, I might live
with it.  But when you get to fatal4, fatal5, ..., and then multiply
that by guarantee and assert, there should be something better.

> ...                                                           You  
> could make fatal appear variadic with some other macro tricks.
> 
> #define fatal \
>    begin_failure(__FILE__, __LINE__) && report_fatal
> 
> report_fatal would expect to get file and line from some thread local  
> buffer where it was cached by begin_failure.  Alternatively you could  
> have a stack allocated object with a report_fatal method and use dot  
> instead of and.

The syntax at the use point is better.  Of the two, I like the latter
as it's more localized.

Both would treat the current string literals as format strings, which
would require auditing; the gcc __attribute__((format)) mechanism
(suggested by Ian Rogers) would help for shared and linux-specific
code.  Also, using a normal macro instead of a function-like macro
would replace non-function-like uses:

$ cat x.cc
#define fatal(a) printf(a)
#define fatalx   printf
int main(int argc, char **argv) { int fatal = 0; int fatalx = 0; return 0; }
$ CC -E x.cc
int main ( int argc , char * * argv ) { int fatal = 0 ; int printf = 0 ; return 0 ; } 

So it would prohibit variables and fields named assert, fatal,
guarantee, etc.  We could probably live with it, but it's worth
pointing out.

Other opinions?

-John

> On Oct 10, 2009, at 4:21 PM, John Coomes wrote:
> 
> > 6888954: argument formatting for assert() and friends
> >
> > Enable argument formatting for assert(), guarantee() and related
> > macros.
> >
> > http://cr.openjdk.java.net/~jcoomes/6888954-assert-args/
> >
> > -John
> >
>

More information about the hotspot-dev mailing list