Re: Findings by static analyzers in Fedora 42 Critical Path Packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 15, 2024 at 06:53:59AM +0100, Siteshwar Vashisht wrote:
> - The issue of false positives is one of the most important, but hard
> to solve. I started a discussion[2] on GitHub, but we do not have a
> good answer to it yet. If you have ideas, please share on GitHub.

Hi,

This was already partially discussed in the other part of the thread
with František, but without a clear conclusion on the reported issues.
I looked into the reports for systemd, and generally they are all
false positives, and actually quite immediately obvious false positives.

The very first report is:
  #   70|   		eval "arr=( $line )"
  #   71|-> 		case "${arr[0]}" in
  /usr/lib/rpm/sysusers.generate-pre.sh:71:9: warning[SC2154]: arr is referenced but not assigned.

Then there are reports of various leaks, but it's pretty clear
that __attribute__(cleanup) is not being understood.

A bit later is:
  #  273|->         return RET_NERRNO(open(path, O_CLOEXEC|O_PATH));
  systemd-257_rc1-build/systemd-257-rc1/src/basic/build-path.c:273:16: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open(path, 2621440)’

i.e. the value that is returned via 'return', not leaked.

I also looked at the reports for util-linux. They first few are fairly
obvious false positives too:

  util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/fdformat.c:127:49: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL ‘xmalloc((long unsigned int)track_size) + (sizetype)count’

  util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/mkfs.cramfs.c:304:9: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL ‘xmalloc(len + 257)’ where non-null expected

(xmalloc, xstrdup are obviously non-failing wrappers for malloc and strdup)

#  992|-> 		} else if (*s == '!') {
util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/fsck.c:992:28: warning[-Wanalyzer-malloc-leak]: leak of ‘xstrdup(fs_type)’

This one is strange, because it reports a comparison operation as
doing something.

It seems pretty clear that the signal-to-noise ratio is extremely low.
I don't think it's useful to tell people to look into those reports
until this ratio improves quite a bit.

> [2] https://github.com/openscanhub/openscanhub/issues/290

Zbyszek
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux