Hacker News new | past | comments | ask | show | jobs | submit login

It's pretty dumb that pid 1 has any assert()s in it at all. Or libraries for that matter.



You're going to _love_ systemd. I think someone found a kitchen sink in there once.


I decided to see if there was any merit to your snarky comment:

    $ git clone git://anongit.freedesktop.org/systemd/systemd systemd-git
    $ cd systemd-git
    $ grep -r "assert(" | wc -l
    7771
That looks pretty bad at first. But I noticed this in src/shared/macro.h:

    /* We override the glibc assert() here. */
    #undef assert
    #ifdef NDEBUG
    #define assert(expr) do {} while(false)
    #else
    #define assert(expr) assert_se(expr)
    #endif

I didn't verify that macro.h was included by every file that used assert(). But I'm assuming it does. So it looks like assert() at least doesn't call abort() in their world. In fact, it's a nop in non-debug builds. And even in debug builds, the assert_se() macro logs a message and continues.

I didn't check for any external libraries systemd might use.


Also, the systemd repository contains dozens of other programs than systemd itself. Even if any of those were to abort, the implications for systemd would be far less severe. Not nearly all the git code will ever be running in pid 1.


This would be a great place to insert a snarky comment about the sanity of overloading a standard function.

I believe it violates the principle of least surprise, which I generally would consider a good principle.

As a new reader of the code, you'd be quite sane to expect "assert" to mean assert(), not "our local assert(), which is something different".

There should be a --disallow-keyword-redefinitions flag to the preprocessor, or something. Grumble.


'assert' is not a keyword. Even if it were, they overrode it with a function that has the exact same signature and general runtime behaviour. Hardly anything to be surprised about.

Also, invoking the principle of least surprise on a C codebase is just ludicrous.


I didn't say it was a keyword. It's a standard function-like macro (not a function, as I wrote).

I would think it just as bad an idea to overload `NULL` with something non-standard.

The standard things in the language are something to be learned, and they should remain constant and not change per-project just because someone can do it differently. Do it however you like, but don't clobber the standard names, is all I'm saying.


The "principle of least surprise" would say that of course asserts are turned off with -NDEBUG. From assert(3) on osx: """The assert() macro may be removed at compile time with the cc(1) option -DNDEBUG."""


In general I would agree with you—it sucks to override a standard function with weird, local, non-standard functionality. However, in this case, it's an extremely common practice to override assert() so that it only aborts or warns during testing or when some DEBUG macro is defined. To attack that is to ignore long-standing, wide-spread idioms.


"The principle of least surprise" is, in every use I've ever seen, just an obnoxious way to say that it's not how you would have done it.


Yes, when I want a nonstandard assert() I normally give it a different name, like insist(). No reason not to.


I often need to wash up after particularly messy system administration tasks. That sink will come in handy.

I'd be curious to know if systemd is tickled by this one weird trick to crash your server. It does work with inotify (and other fun newish kernel techs), so it would be subject to the inotify queue length...but what'll happen when it hits it?


TTBOMK, systemd doesn't watch unit files for changes. If you change a unit, you need to run `systemctl daemon-reload` to make it notice. It does, however, try to work out if it's in a state where you are running `systemctl` without reloading, and warns that you may need to reload.


Eyeballing their inotify use, it does seem to be careful to check this field and log failures if it's not as expected, but doesn't appear to do anything that should intentionally or unintentionally trigger failure.


And then take this anti-pattern and multiply it by the sheer excess of feeping creaturism; a massive vulnerability surface. If you thought AWS's short notice reboot everything incident was/is uncommon I suspect we'll be seeing a lot more of that sort of thing in the nearish future.


Reportedly it's possible to achieve a similar effect on systemd by having too many journal files (on 208, but the distros backport patches into it constantly from the -stable branch, IIRC): https://bugzilla.redhat.com/show_bug.cgi?id=1112556


Well... on one hand side, it's probably better to abort than to get a possible exploit. On the other it's not a funny situation when one of your base services dies and it can happen easily (found some cases of remote-triggerable abort()s in systemd-resolve - patches were sent upsteam, nobody seems to care for a few days now).


Exploits include denial of service, surely?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: