[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH][for-4.19] domain: add ASSERT to help static analysis tools

  • To: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 9 Nov 2023 08:44:01 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+G92ePYY7mAP+szFxqnOO97Xd+p+ysQAh4hujfNBqPY=; b=oBo6hnMrhE8vfkAS9sX3UYW4Kjt+1mr+quesxftUe5C50JbolHq3PUbqAt9CqBlWXG5HRDRh0kBNAEgni5FFopHMVq00f7jLk5z/tYAuYk7ugYtil2MrWmqq3ZJCnkQnsSXmN87xBLO9u42eganp/VLlRqBRwMRMO02aTldCfdmyw80zAVYKPKJuzt1F8K5CHnUeFWrBgSql/kfufJP1DhF2TGuq3vzF8Iid9hiPAliNWNGlaJJ7NwuAGaarrNO8IN72FNKO9nqWjLBa/u2d0sA0FrNzB0+hkOgoSaUtgoNq4dbpaUBVSSMuiMYhRzXxiXraslZufcZNaclBFy5gIA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cwiuu4C9QORxCZ32o5o+nH64+CL2e3pCe7RHdQlCKwIX+uLTBg1uegqOL3jWA/mVkVWX1KCBUUOCQaoUnBhK9oTcBKvhSZbCYpRE/VCYkVVelHdZG7qDBxqgGQ9qs1AznMlgvdr+icPwnzKwOkqSSDRnMDAP92IE6ehu8d/fSKl+f5CkXxKnyca8W4ZJiBP7Ss+F1KCDbYlnIqckmZdjH0NE0GexcUAUUyPNoqfFbMsvVR+wI94gw9acJdY7N1tBJgfUnom+TlR2TVa26XqFg47lJUqZNguazLaCtlu/AXBdnWNI7/7/gIx3Q0wQKmhsnU0dQFWdgUOUvt9lCanTKQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: sstabellini@xxxxxxxxxx, michal.orzel@xxxxxxx, xenia.ragiadakou@xxxxxxx, ayan.kumar.halder@xxxxxxx, consulting@xxxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, roger.pau@xxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 09 Nov 2023 07:44:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08.11.2023 14:28, Nicola Vetrini wrote:
> On 2023-11-08 12:19, Jan Beulich wrote:
>> On 08.11.2023 12:03, Nicola Vetrini wrote:
>>> On 2023-11-08 09:24, Jan Beulich wrote:
>>>> On 03.11.2023 18:58, Nicola Vetrini wrote:
>>>>> Static analysis tools may detect a possible null
>>>>> pointer dereference at line 760 (the memcpy call)
>>>>> of xen/common/domain.c. This ASSERT helps them in
>>>>> detecting that such a condition is not possible
>>>>> and also provides a basic sanity check.
>>>>
>>>> I disagree with this being a possible justification for adding such a
>>>> redundant assertion. More detail is needed on what is actually
>>>> (suspected to be) confusing the tool. Plus it also needs explaining
>>>> why (a) adding such an assertion helps and (b) how that's going to
>>>> cover release builds.
>>>>
>>>
>>> How about:
>>> "Static analysis tools may detect a possible null pointer dereference
>>> at line 760 (config->handle) due to config possibly being NULL.
>>>
>>> However, given that all system domains, including IDLE, have a NULL
>>> config and in the code path leading to the assertion only real domains
>>> (which have a non-NULL config) can be present."
>>>
>>> On point b): this finding is a false positive, therefore even if the
>>> ASSERT is
>>> expanded to effectively a no-op, there is no inherent problem with 
>>> Xen's
>>> code.
>>> The context in which the patch was suggested [1] hinted at avoiding
>>> inserting in
>>> the codebase false positive comments.
>>
>> Which I largely agree with. What I don't agree with is adding an
>> assertion which is only papering over the issue, and only in debug
>> builds. So perhaps instead we need a different way of tracking
>> false positives (which need to be tied to specific checker versions
>> anyway).
>>
> 
> Hmm. Is it better in your opinion to write something like:
> 
> if (config == NULL)
>     return ERR_PTR(<some error code>); // or die() or something 
> appropriate
> 
> this would be a rudimentary handling of the error with some messages 
> detailing that something
> is wrong if a domain has a null config at that point.

No. This is no better than a redundant assertion. It's even slightly
worse, as it'll likely leave a trace in generated code for release
builds.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.