On Monday, November 18, 2024 6:57:03 PM GMT+1 František Šumšal wrote: > Right after I sent this I got a response [0] to the gcc bug and turns out that the culprit is disabled LTO. And indeed, if I build systemd with `-fanalyzer -flto=auto`, (almost) all reports disappear: > > With just -fanalyzer (meson setup build -Dc_args="-fanalyzer"): > $ grep warning: log-fanalyzer.txt | wc -l > 1519 > > With -fanalyzer -lto=auto (meson setup build -Dc_args="-fanalyzer -lto=auto"): > $ grep warning: log-fanalyzer-lto.txt | wc -l > 1 > > The LTO is being disabled in the csgcca wrapper since [1] because of some issues between -fanalyzer and LTO, but looks like disabling it has some disadvantages as well (not sure if they outweigh the advantages, I tested this only on systemd so far). > > [0] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117662#c2 > [1] https://github.com/csutils/cscppc/commit/d8d49b4cc92e0109b2654e9034c85e169bdc0566 Thanks for the analysis! Unfortunately, it does not mean that systemd is free of gcc analyzer findings. It rather means that -flto=auto prevented gcc analyzer from working. I have reported this upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117667 ... and got an immediate reply. If you want gcc analyzer to work with LTO, you need to pass -fanalyzer to the linker, too (in meson via -Dc_link_args). The only problem is that it does not work because it runs forever and eats all the memory. So it is much better to use csgcca after all. Kamil > On 11/18/24 18:25, František Šumšal wrote: > > Hey, > > > > Thank you for doing this! > > > > I started taking apart systemd findings and reported a first issue against gcc [0], so we can hopefully squash the false positives from the results (at least the ones repored by gcc's -fanalyzer) and make them more useful. > > > > One thing that comes to mind (especially after the battle in [1]): how does the gcc's -fanalyzer handle optimized builds? In Fedora we currently (IIRC) build with -O2, and if I do a systemd build locally with both -O0 and -O2, the latter one generates more warnings. There's also several notes in the official documentation [2] that some of the checks might not work when optimizations are enabled, since the analyzer runs quite late in the compilation process. Which also raises question - does optimization make -fanalyzer more prone to false positives? And does it make the findings less accurate? > > > > Cheers, > > Frantisek > > > > [0] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117662 > > [1] https://github.com/csutils/cscppc/issues/46 > > [2] https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html > > > > > > On 11/14/24 08:47, Siteshwar Vashisht wrote: > >> Hello, > >> > >> I am writing this message to get feedback from the community on new > >> findings by static analyzers in Critical Path Packages that have > >> changed in Fedora 42. > >> > >> TLDR: This report[1] contains 37330 findings. Please review the report > >> and provide feedback. > >> > >> A mass scan was performed this week on the packages that have changed > >> in Fedora 42. This report[1] contains all the new findings that have > >> been identified in the packages listed in Critical Path Packages. > >> Newly added findings since Fedora 41 are listed under ‘+’ column. > >> Please review the report and fix or report any findings upstream that > >> may be real bugs. Not all findings reported by OpenScanHub may be > >> actual bugs, so please verify reported findings before investing time > >> into fixing or reporting them. We hope this is helpful for the > >> packages you maintain and for the upstream projects. Questions can be > >> asked on the OpenScanHub mailing list[2]. If you want to see the full > >> logs of the scans, they are available on the tasks[3] page. User > >> documentation for performing a scan is available on the Fedora > >> wiki[4]. > >> > >> Constructive feedback is appreciated. Thank you! > >> > >> [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ > >> [2] https://lists.fedoraproject.org/archives/list/openscanhub@xxxxxxxxxxxxxxxxxxxxxxx/ > >> [3] https://openscanhub.fedoraproject.org/task/ > >> [4] https://fedoraproject.org/wiki/OpenScanHub -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue