From b62c681b117e77b3ef56331ba8c92b5eaf0d2b0d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 17 Oct 2025 11:27:55 +0100
Subject: [PATCH] log: add underflow assert guard

We often use ssize_t in log_error macros, but typically return int
which confuses coverity, as technically there is no guarantee that
int and ssize_t have the same range. Add an assert to enforce it.
---
 src/basic/log.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/basic/log.h b/src/basic/log.h
index a07841c6ca..134169c824 100644
--- a/src/basic/log.h
+++ b/src/basic/log.h
@@ -192,15 +192,21 @@ int log_dump_internal(
 
 #if BUILD_MODE_DEVELOPER && !defined(TEST_CODE)
 #  define ASSERT_NON_ZERO(x) assert((x) != 0)
+#  define ASSERT_UNDERFLOW(x) assert((x) >= INT_MIN)
 #else
 #  define ASSERT_NON_ZERO(x)
+#  define ASSERT_UNDERFLOW(x)
 #endif
 
+/* We often call log macros with ssize_t instead of int, so check for underflows,
+ * as ssize_t is not guaranteed to be the same as int, and we usually do
+ * 'return log_errno...' from functions that return 'int' */
 #define log_full_errno(level, error, ...)                               \
         ({                                                              \
-                int _error = (error);                                   \
+                int64_t _error = (error);                               \
+                ASSERT_UNDERFLOW(_error);                               \
                 ASSERT_NON_ZERO(_error);                                \
-                log_full_errno_zerook(level, _error, __VA_ARGS__);      \
+                log_full_errno_zerook(level, (int)_error, __VA_ARGS__); \
         })
 
 #define log_full(level, fmt, ...)                                      \