LLVM 19 related updates

[cgzones]

No description provided.

[BenBE]

Not really happy with some of the changes. Can you provide a set of compiler messages describing why certain changes were made?

[BenBE]

Suggested change

	unsigned cpu_width = 4 + (unsigned) strlen(number);
	unsigned cpu_width = 4 + (unsigned)strlen(number);

[BenBE]

Suggested change

	unsigned castRes = (unsigned) res;
	unsigned castRes = (unsigned)res;

[BenBE]

Suggested change

	if (*endptr != '\0' || res == ULONG_MAX || errno != 0 || castRes != res) {
	if (*endptr != '\0' || res == ULONG_MAX || errno != 0 || res > UINT_MAX) {

or

Suggested change

	if (*endptr != '\0' || res == ULONG_MAX || errno != 0 || castRes != res) {
	if (*endptr != '\0' || res > UINT_MAX || errno != 0) {

[Explorer09]

@BenBE I would say res >= UINT_MAX because, AFAIK, (uid_t)-1 is invalid.

[BenBE]

That's something the current version didn't check for …

[BenBE]

Given this is user-controlled via a config file, this should be a runtime check (DiD).

[Explorer09]

What does the colon in this uiName string do? And may I replace this strlen call with (size_t)(String_strchrnul(uiName, ':') - uiName) ?

[BenBE]

Given that these both refer to string offsets, we actually should switch to size_t* eventually (DiD).

[Explorer09]

The type after the substraction is technically ptrdiff_t. Casting to int would lose upper bits. Also, it's a signed type. (So size_t won't fit, but maybe ssize_t would.)

[BenBE]

Technically yes, but since tokenBase > cmdline and token > cmdline, both are positive and a cast to size_t wouldn't cause trouble with the sign bit. I'd have to check re sentinel values, but that's another concern.

[Explorer09]

This Process.c specific changes for LLVM 19 compatibility may be superseded by #1588.

[BenBE]

Suggested change

	map_inode = (unsigned int) fast_strtoull_dec(&readptr, 0);
	map_inode = (unsigned int)fast_strtoull_dec(&readptr, 0);

[BenBE]

No blank line here …

[BenBE]

Use ssize_t instead.

[BenBE]

What's wrong with size_t here?

[BenBE]

Shouldn't this be updated to size_t here too (I know this would add a cast to this->items).

[Explorer09]

Before I can suggest a better code for this, I need one behavior clarified:
Is username being an empty string acceptable here?
Because strtoul would not produce an error for the empty string. It would happily return 0 as the result.

[Explorer09]

I'm not sure I like this construct. If you want the cap the maximum length for a strlen output, then strnlen is there for use.

[Explorer09]

Update: I've changed my mind on the use of strnlen here. While strnlen can guarantee it never reads past the specified maxlen, strnlen is (theoretically) less performant than strlen when the input string is well formed already.

That doesn't mean I deny the possibility of using strnlen in htop, but the length clamping, if needed, should be done as early as possible, e.g. in Settings.c when reading the strings from config and not long after the config file was read.

Just using size_t for strlen return values would be slightly cheaper than using strnlen.

[Explorer09]

Can't understand the reason why expanding the bit width of this columnWidthCount to 64. Would it save code size by saving some cast instructions?

[Explorer09]

When I wrote this piece of Row_printNanoseconds code, I did not assume the unsigned int type would have 32 bits for you (for stricter standard compliance). I know what you are doing, but I would like uint32_t be used here instead of unsigned int.

[BenBE]

Also in favour of explicit bit width spec.

[Explorer09]

I would like this (unsigned long) cast in snprintf function be preserved unless you use PRIu32 format instead.

[Explorer09]

Suggested change

	if (id == UINT_MAX || endp == entry->d_name + 3 || *endp != '\0')
	if (id >= UINT_MAX || endp == entry->d_name + 3 || *endp != '\0')

[Explorer09]

We shouldn't use fast_strou*_dec here, as these "fast" versions come with no overflow check.
By looking at the lines below, it seems like the overflow check is needed.

[Explorer09]

The logic doesn't look right here. Why would INT_MAX become an invalid PID anyway? If we want to check for overflow, it could be parsedPid > INT_MAX || !errno.

[BenBE]

strtoul returns unsigned long, but the result is later assigned to a field of unsigned int. Thus anything greater than UINT_MAX causes an integer overflow. Everything equal to UINT_MAX is the sentinel value for "invalid user". Thus parsedPid >= UINT_MAX to catch both cases at once.

[Explorer09]

@BenBE This is PID, not UID. Please get the right context. POSIX didn't have a clear limit on the maximum value of PID, or that PID == INT_MAX is always invalid. So I want to play safe here.

Looking at this Stack Exchange question, it look like Linux currently has a hard limit of 4194303 (the maximum PID is one less than the value in /proc/sys/kernel/pid_max). And that no other OS had been using INT_MAX as maximum PID yet, so treating INT_MAX as invalid value may be fine, for now.

[Explorer09]

By the way, in Unix, pid_t is always a signed type, unlike uid_t. The pid_t is required to be signed as fork(2) returns value in this type and that negative values are reserved for special uses.

[Explorer09]

Since there are changes in this PR that look not trivial. Would you guys mind if I pick some of the easier changes and file a new PR for them? I just hope some of the changes can be merged early.

[Explorer09]

I think for this algorithm, it's better for s to be in size_t, and use (size_t)x (upcast) for comparisons below. I think I would submit my propsed change in a separate PR.

[Explorer09]

Oops. When I re-review this function code just now, I discovered that the use of strlen here was wrong at the start. This should have been "terminal width" instead and use a function similar to wcswidth but working with multi-byte string instead.

[BenBE]

Most of the non-trivial changes in this PR boil down to structural refactorings where many fields that denote size values still use int instead of the more appropriate size_t. Unfortunately, if you start this, this goes through the codebase at least once. Having this as a separate PR would be good. Also splitting other non-trivial changes out is much appreciated.

[BenBE]

I moved this PR and #1588 to 3.5.0 because 3.4.1 is targeted to be a minor bugfix release with little refactoring where possible. As these two PRs both carry quite some code changes that are hard to justify as minor fixes, these will have to wait a bit. Also I'm not really happy with the amount of change that is introduced in these two PRs. Please check if we can manage these fixes with a little bit more structured approach.

@Explorer09: Since @cgzones is kinda inactive you may continue the changes of this PR in a superseded implementation, unless there's an objection. If you do, please be mindful to the one who has to review the refactoring. ;-)