Re: Findings by static analyzers in Fedora 42 Critical Path Packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday, November 18, 2024 6:57:03 PM GMT+1 František Šumšal wrote:
> Right after I sent this I got a response [0] to the gcc bug and turns out that the culprit is disabled LTO. And indeed, if I build systemd with `-fanalyzer -flto=auto`, (almost) all reports disappear:
> 
> With just -fanalyzer (meson setup build -Dc_args="-fanalyzer"):
> $ grep warning: log-fanalyzer.txt | wc -l
> 1519
> 
> With -fanalyzer -lto=auto (meson setup build -Dc_args="-fanalyzer -lto=auto"):
> $ grep warning: log-fanalyzer-lto.txt | wc -l
> 1
> 
> The LTO is being disabled in the csgcca wrapper since [1] because of some issues between -fanalyzer and LTO, but looks like disabling it has some disadvantages as well (not sure if they outweigh the advantages, I tested this only on systemd so far).
> 
> [0] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117662#c2
> [1] https://github.com/csutils/cscppc/commit/d8d49b4cc92e0109b2654e9034c85e169bdc0566

Thanks for the analysis!  Unfortunately, it does not mean that systemd is
free of gcc analyzer findings.  It rather means that -flto=auto prevented
gcc analyzer from working.  I have reported this upstream:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117667

... and got an immediate reply.  If you want gcc analyzer to work with LTO,
you need to pass -fanalyzer to the linker, too (in meson via -Dc_link_args).
The only problem is that it does not work because it runs forever and eats
all the memory.  So it is much better to use csgcca after all.

Kamil

> On 11/18/24 18:25, František Šumšal wrote:
> > Hey,
> > 
> > Thank you for doing this!
> > 
> > I started taking apart systemd findings and reported a first issue against gcc [0], so we can hopefully squash the false positives from the results (at least the ones repored by gcc's -fanalyzer) and make them more useful.
> > 
> > One thing that comes to mind (especially after the battle in [1]): how does the gcc's -fanalyzer handle optimized builds? In Fedora we currently (IIRC) build with -O2, and if I do a systemd build locally with both -O0 and -O2, the latter one generates more warnings. There's also several notes in the official documentation [2] that some of the checks might not work when optimizations are enabled, since the analyzer runs quite late in the compilation process. Which also raises question - does optimization make -fanalyzer more prone to false positives? And does it make the findings less accurate?
> > 
> > Cheers,
> > Frantisek
> > 
> > [0] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117662
> > [1] https://github.com/csutils/cscppc/issues/46
> > [2] https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html
> > 
> > 
> > On 11/14/24 08:47, Siteshwar Vashisht wrote:
> >> Hello,
> >>
> >> I am writing this message to get feedback from the community on new
> >> findings by static analyzers in Critical Path Packages that have
> >> changed in Fedora 42.
> >>
> >> TLDR: This report[1] contains 37330 findings. Please review the report
> >> and provide feedback.
> >>
> >> A mass scan was performed this week on the packages that have changed
> >> in Fedora 42. This report[1] contains all the new findings that have
> >> been identified in the packages listed in Critical Path Packages.
> >> Newly added findings since Fedora 41 are listed under ‘+’ column.
> >> Please review the report and fix or report any findings upstream that
> >> may be real bugs. Not all findings reported by OpenScanHub may be
> >> actual bugs, so please verify reported findings before investing time
> >> into fixing or reporting them. We hope this is helpful for the
> >> packages you maintain and for the upstream projects. Questions can be
> >> asked on the OpenScanHub mailing list[2]. If you want to see the full
> >> logs of the scans, they are available on the tasks[3] page. User
> >> documentation for performing a scan is available on the Fedora
> >> wiki[4].
> >>
> >> Constructive feedback is appreciated. Thank you!
> >>
> >> [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/
> >> [2] https://lists.fedoraproject.org/archives/list/openscanhub@xxxxxxxxxxxxxxxxxxxxxxx/
> >> [3] https://openscanhub.fedoraproject.org/task/
> >> [4] https://fedoraproject.org/wiki/OpenScanHub



-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux