[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MOVING COMMUNITY CALL Call for agenda items for 9 June Community Call @ 1500 UTC


  • To: Roberto Bagnara <roberto.bagnara@xxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 9 Jun 2022 13:24:00 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XRztNSMmQff1m4Mgag6KGmW8568Om7TlD8Momh3Zj34=; b=g7yYV2HWBqQxHk6HpvHHY/lwn6rb7cXr6ZXjBTlTaZpJcOawegdt2w4ftSSkCVtJUVZo1FsrYKdOl5kJ+NxmvhJZvUD4Y0LeHLVwm1HyVzbFPg/K5eIfJPazKT0tLt1oyckriMBvcFZ24XSmwxbQOqmvnSUeYpCsFCsCSfLn8y9hH50lubobamONA5D1ozbYGpWUsCrYaLZws0aiiKTZLHUdBi/lVsKUR4HJ4P8+ZlNrk1pzGOIDEX+FvZuf9bv4NCFz5wFSIxA1sxXecu1abEub2ekTdfOvhC50cKyRPdq3nMLMJwt02x6K5imKxLaW66d3qzexHWorDdN+QeHaWA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mUOXMZbynTid7gPpbZtlc4eu1oJkwLNBLbOnIh/VkUby/IpffMyCkFqL+VDtwD8v3/SeaDnf98pEoKKy2DWqSL6ZrJQwyqknW/zkKNMtfBpgxF0QZKAxOgJ+7YJJ4yXcO9HgPTn2M0Bb2VSgLNCQ4BDNoiCiWfgVZATJdZjT2RaTM4e3bhElkPxf+7Jd0hGLPdtoiMuddUQ84Rf62kcw7AiRqcxqLOlhY0MGgBSoXHy2Mp8UGVpn6gGqtBugpP8pgr9hamQZu7zTvRAICrjZdyxxCpkSeV7NlwjIkf1Opc/J07ZzR748A8Ls2wj0GVPCKPi0kAK/bprJmUTmUb7ZSA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Artem Mygaiev <Artem_Mygaiev@xxxxxxxx>, Andrew.Cooper3@xxxxxxxxxx, julien@xxxxxxx, Bertrand.Marquis@xxxxxxx, fusa-sig@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • Delivery-date: Thu, 09 Jun 2022 13:55:34 +0000
  • List-id: This is a discussion list for members of the Xen Project FuSa SIG <fusa-sig.lists.xenproject.org>

On 09.06.2022 13:11, Roberto Bagnara wrote:
> On 07/06/22 04:17, Stefano Stabellini wrote:
>  > # Rule 9.1 "The value of an object with automatic storage duration shall 
> not be read before it has been set"
>  >
>  > The question is whether -Wuninitalised already covers this case or not.
>  > I think it does.
>  >
>  > Eclair is reporting a few issues where variables are "possibly
>  > uninitialized". We should ask Roberto about them, I don't think they are
>  > actual errors? More like extra warnings?
> 
> No, -Wuninitialized is not reliable, as it has plenty of (well known)
> false negatives.  This is typical of compilers, for which the generation
> of warnings is only a secondary objective.  I wrote about that here:
> 
>    https://www.bugseng.com/blog/compiler-warnings-use-them-dont-trust-them
> 
> On the specifics:
> 
> $ cat p.c
> int foo (int b)
> {
>      int a;
> 
>      if (b)
>      {
>          a = 1;
>      }
> 
>      return a;
> }
> 
> $ gcc -c -W -Wall -Wmaybe-uninitialized -O3 p.c
> $ gcc -c -W -Wall -Wuninitialized -O3 p.c
> $
> 
> Note that the example is less contrived than you might think.
> See, JF Bastien's talk at 2019 LLVM Developers' Meeting:
> 
>    https://www.youtube.com/watch?v=I-XUHPimq3o
> 
> More generally, you can only embrace MISRA if you agree on
> its preventive nature, which is radically different from
> the "bug finding" approach.  The point is rather simple:
> 
> 1) static analysis alone cannot guarantee correctness;
> 2) peer review is unavoidable;
> 3) testing is unavoidable.
> 
> In order to effectively conduct a peer review, you cannot
> afford being distracted every minute by the thought
> "is this initialized?  where is it initialized?  with which
> value is it initialized?"
> In a MISRA setting, you want that the answer to such questions
> is immediately clear to anyone.
> In contrast, if you embrace bug finding (that is, checkers with
> false negatives like the ones implemented by compilers),
> you will miss instances that you may miss also with testing
> (testing a program with UB does not give reliable results);
> and you will likely miss them with peer review, unless you
> can spend a lot of time and resources in the activity.
> 
> The checker implemented by ECLAIR for Rule 9.1 embodies this
> principle: if it says "violation", then it is a definite
> violation;  if it says "caution", then maybe there is no
> UB, but a human will have to spend more than 30 seconds
> in order to convince herself that there is no UB.
> 
> I understand this may sound frustrating to virtuoso programmers,
> and there are many of them in the open source world.
> But the truth is that virtuosity in programming is not a good
> thing for safety-related development.   For safety you want
> code that is simple and straightforward to reason about.

I understand what you're saying, yet I'd like to point out that adding
initializers "blindly" may give a false sense of code correctness.
Among other things it takes away the chance for tools to point out
possible issues. Plus some tools warn about stray initializers ...

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.