[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
Date: Wed, 08 Nov 2023 14:28:19 +0100
Cc: sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, roger.pau@xxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 08 Nov 2023 13:28:32 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2023-11-08 12:19, Jan Beulich wrote:

On 08.11.2023 12:03, Nicola Vetrini wrote:

On 2023-11-08 09:24, Jan Beulich wrote:

On 03.11.2023 18:58, Nicola Vetrini wrote:

Static analysis tools may detect a possible null
pointer dereference at line 760 (the memcpy call)
of xen/common/domain.c. This ASSERT helps them in
detecting that such a condition is not possible
and also provides a basic sanity check.


I disagree with this being a possible justification for adding such a
redundant assertion. More detail is needed on what is actually
(suspected to be) confusing the tool. Plus it also needs explaining
why (a) adding such an assertion helps and (b) how that's going to
cover release builds.


How about:
"Static analysis tools may detect a possible null pointer dereference
at line 760 (config->handle) due to config possibly being NULL.

However, given that all system domains, including IDLE, have a NULL
config and in the code path leading to the assertion only real domains
(which have a non-NULL config) can be present."

On point b): this finding is a false positive, therefore even if the
ASSERT is

expanded to effectively a no-op, there is no inherent problem withXen's

code.
The context in which the patch was suggested [1] hinted at avoiding
inserting in
the codebase false positive comments.


Which I largely agree with. What I don't agree with is adding an
assertion which is only papering over the issue, and only in debug
builds. So perhaps instead we need a different way of tracking
false positives (which need to be tied to specific checker versions
anyway).


Hmm. Is it better in your opinion to write something like:

if (config == NULL)

return ERR_PTR(<some error code>); // or die() or somethingappropriate

this would be a rudimentary handling of the error with some messagesdetailing that something

is wrong if a domain has a null config at that point.

To be clear: I'm fine with every way of deviating the construct, butagreeing on analternate mechanism to SAF-x-false-positive would land later thanimplementing some form

of error handling, I think.

--
Nicola Vetrini, BSc
Software Engineer, BUGSENG srl (https://bugseng.com)

Follow-Ups:
- Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
  - From: Jan Beulich

References:
- [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
  - From: Nicola Vetrini
- Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
  - From: Jan Beulich
- Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
  - From: Nicola Vetrini
- Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
  - From: Jan Beulich

Prev by Date: Re: [PATCH v12 01/37] x86/cpufeatures: Add the cpu feature bit for WRMSRNS
Next by Date: Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
Previous by thread: Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
Next by thread: Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.