On 04/25/2012 04:46 PM, Eric Blake wrote: > On 04/25/2012 02:01 PM, Laine Stump wrote: >> This patch resolves https://bugzilla.redhat.com/show_bug.cgi?id=815270 >> >> The function virNetDevMacVLanVPortProfileRegisterCallback() takes an >> arg "virtPortProfile", and was checking it for non-NULL before using >> it. However, the prototype for >> virNetDevMacVLanPortProfileRegisterCallback had marked that arg with >> ATTRIBUTE_NONNULL(). Contrary to what one may think, >> ATTRIBUTE_NONNULL() does not provide any guarantee that an arg marked >> as such really is always non-null; the only effect to the code >> generated by gcc, is that gcc *assumes* it is non-NULL; this results >> in, for example, the check for a non-NULL value being optimized out. >> >> (Unfortunately, this code removal only occurs when optimization is >> enabled, and I am in the habit of doing local builds with optimization >> off to ease debugging, so the bug didn't show up in my earlier local >> testing). >> >> In general, virPortProfile might always be NULL, so it shouldn't be >> marked as ATTRIBUTE_NONNULL. One other function prototype made this >> same error, so this patch fixes it as well. > Might be worth linking to > http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308 Oops. I pushed before I noticed this comment. > >> --- >> src/util/virnetdevmacvlan.h | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) > ACK. What an insidious bug. > > As Laine and I discussed on IRC, I'm half wondering if we should just do: > > #ifdef STATIC_ANALYSIS && /* attributes supported */ > # define ATTRIBUTE_NONNULL(n) __attribute__((__nonnull__(n))) > #else > # define ATTRIBUTE_NONNULL(n) /* empty, due to gcc lameness */ > #endif > > so that our code will be pessimized under normal compiles, but _at > least_ places where we have bugs with improper use of the attribute > won't cause gcc to miscompile things; but still let us get NULL checking > when running clang or Coverity. Or the patch that will be in the next reply to your mail? (STATIC_ANALYSIS is always defined, but could be 0 or 1) > I also wonder if this has been detected by Coverity (checking a nonnull > parameter for NULL is dead code, which Coverity does tend to flag), and > we just haven't been following Coverity closely enough to notice. It's a fairly recent change, so very likely nobody has run Coverity against it yet. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list