[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools


  • To: Julien Grall <julien@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 9 Nov 2023 08:42:05 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WXQ+0P3MIHcV+4IygX954kT4L9eaqeKtZb/ggkmz1WI=; b=LGLmNHqFSca/ZzMRt0jrl2xG4rrXn5DLwMntJWO8QmVApbGRo9uH/ojXmf4ke4WMnvvnPAa84/WNb2Wpwd6H8OcVeRi9S87IpYIlplbbWdaICEN/EVQHnCDkg8t/97PGGz9WupThHnn0YpYLKiyrKaP1yWJcvNm1psW3BODvZ8TqjyugkTUizs/6+toUkwiHB2n3CXsYR4KPUrpXwFXB/xITlf1dUTm0IajPc/rxiRZaxl990wm64gTe6DF51cOtZ1RT6OhxH1SturHOxRCpqxh2e1FJ0nd7ALvPC5vOnKJEuGVv4C1qR0ZttBbiu+cJ9qvm25jqPyYcACYBup11Rg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lZvq9LCWh2Nr4ydy1vPbQwtfWtBnUWAzK+Jr8OLJeuGKiohTnVxzfDDU4YtQ72Bzg2wyeJyz8bx9zn1PYO4dOUoM0HrX84zkt45H3ELxoXlDQjp/XSV+IjjVoQXE5voykaGUvj5mq6tswIldN2amrz/d2XfjLjaGBnvYXpkyo7i9z6FCJd3Z/Js6DpJQNglu+ROQNLSppMVSGXFLt/v2JScZ68hqOLlWXVgsW/VPy8C9HTFc41hYdcAxwcsHPcWt4cBQvVCbe7sXEX3MuCBzBrCr8nnqDdeJzuL34a8gpNK79wtVWvsEqxWrLqUZYrK21k0908Fgsqxf2sI1xSdMsQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, roger.pau@xxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Delivery-date: Thu, 09 Nov 2023 07:42:24 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08.11.2023 14:33, Julien Grall wrote:
> Hi Jan,
> 
> On 08/11/2023 11:19, Jan Beulich wrote:
>> On 08.11.2023 12:03, Nicola Vetrini wrote:
>>> On 2023-11-08 09:24, Jan Beulich wrote:
>>>> On 03.11.2023 18:58, Nicola Vetrini wrote:
>>>>> Static analysis tools may detect a possible null
>>>>> pointer dereference at line 760 (the memcpy call)
>>>>> of xen/common/domain.c. This ASSERT helps them in
>>>>> detecting that such a condition is not possible
>>>>> and also provides a basic sanity check.
>>>>
>>>> I disagree with this being a possible justification for adding such a
>>>> redundant assertion. More detail is needed on what is actually
>>>> (suspected to be) confusing the tool. Plus it also needs explaining
>>>> why (a) adding such an assertion helps and (b) how that's going to
>>>> cover release builds.
>>>>
>>>
>>> How about:
>>> "Static analysis tools may detect a possible null pointer dereference
>>> at line 760 (config->handle) due to config possibly being NULL.
>>>
>>> However, given that all system domains, including IDLE, have a NULL
>>> config and in the code path leading to the assertion only real domains
>>> (which have a non-NULL config) can be present."
>>>
>>> On point b): this finding is a false positive, therefore even if the
>>> ASSERT is
>>> expanded to effectively a no-op, there is no inherent problem with Xen's
>>> code.
>>> The context in which the patch was suggested [1] hinted at avoiding
>>> inserting in
>>> the codebase false positive comments.
>>
>> Which I largely agree with. What I don't agree with is adding an
>> assertion which is only papering over the issue, and only in debug
>> builds.
> 
> I expect that the number of issues will increase a lot as soon as we 
> start to analyze production builds.
> 
> I don't think it will be a solution to either replace all the ASSERT() 
> with runtime check in all configuration or even...
> 
>> So perhaps instead we need a different way of tracking
>> false positives (which need to be tied to specific checker versions
>> anyway).
> 
> ... documenting false positive.
> 
> IMHO, the only viable option would be to have a configuration to keep 
> ASSERT in production build for scanning tools.

But wouldn't that then likely mean scanning to be done on builds not also
used in production? Would doing so even be permitted when certification
is a requirement? Or do you expect such production builds to be used with
the assertions left in place (increasing the risk of a crash; recall that
assertions themselves may also be wrong, and hence one triggering in rare
cases may not really be a reason to bring down the system)?

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.