log: add underflow assert guard

We often use ssize_t in log_error macros, but typically return int
which confuses coverity, as technically there is no guarantee that
int and ssize_t have the same range. Add an assert to enforce it.

diff --git a/src/basic/log.h b/src/basic/log.h
index a07841c6ca1769a7acebe45631301a322fff2fc2..134169c824c906afad8d78bb9c3e735cf86ca313 100644 (file)
--- a/src/basic/log.h
+++ b/src/basic/log.h
@@ -192,15 +192,21 @@ int log_dump_internal(
 
 #if BUILD_MODE_DEVELOPER && !defined(TEST_CODE)
 #  define ASSERT_NON_ZERO(x) assert((x) != 0)
+#  define ASSERT_UNDERFLOW(x) assert((x) >= INT_MIN)
 #else
 #  define ASSERT_NON_ZERO(x)
+#  define ASSERT_UNDERFLOW(x)
 #endif
 
+/* We often call log macros with ssize_t instead of int, so check for underflows,
+ * as ssize_t is not guaranteed to be the same as int, and we usually do
+ * 'return log_errno...' from functions that return 'int' */
 #define log_full_errno(level, error, ...)                               \
         ({                                                              \
-                int _error = (error);                                   \
+                int64_t _error = (error);                               \
+                ASSERT_UNDERFLOW(_error);                               \
                 ASSERT_NON_ZERO(_error);                                \
-                log_full_errno_zerook(level, _error, __VA_ARGS__);      \
+                log_full_errno_zerook(level, (int)_error, __VA_ARGS__); \
         })
 
 #define log_full(level, fmt, ...)                                      \