From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org
Cc: kwolf@redhat.com, mdroth@linux.vnet.ibm.com, aliguori@amazon.com
Subject: Re: [Qemu-devel] [PATCH 10/10] qapi: Clean up null checking in generated visitors
Date: Fri, 07 Feb 2014 13:42:24 +0100 [thread overview]
Message-ID: <52F4D4B0.4010307@redhat.com> (raw)
In-Reply-To: <1391697000-5855-11-git-send-email-armbru@redhat.com>
Il 06/02/2014 15:30, Markus Armbruster ha scritto:
> Visitors get passed a pointer to the visited object. The generated
> visitors try to cope with this pointer being null in some places, for
> instance like this:
>
> visit_start_optional(m, obj ? &(*obj)->has_name : NULL, "name", &err);
>
> visit_start_optional() passes its second argument to Visitor method
> start_optional. Two out of two methods dereference it
> unconditionally.
Some visitor implementations however do not implement start_optional at
all. With these visitor implementations, you currently could pass a
NULL object. After your patch, you still can but you're passing a bad
pointer which is also a problem (perhaps one that Coverity would also
detect).
> diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
> index ff4239c..3eb10c8 100644
> --- a/scripts/qapi-visit.py
> +++ b/scripts/qapi-visit.py
> @@ -47,9 +47,9 @@ static void visit_type_%(full_name)s_fields(Visitor *m, %(name)s ** obj, Error *
>
> if base:
> ret += mcgen('''
> -visit_start_implicit_struct(m, obj ? (void**) &(*obj)->%(c_name)s : NULL, sizeof(%(type)s), &err);
> +visit_start_implicit_struct(m, (void**) &(*obj)->%(c_name)s, sizeof(%(type)s), &err);
This is the implementation of start_implicit_struct:
static void qmp_input_start_implicit_struct(Visitor *v, void **obj,
size_t size, Error **errp)
{
if (obj) {
*obj = g_malloc0(size);
}
}
Before your patch, if obj is NULL, *obj is not written.
After your patch, if obj is NULL, and c_name is not the first field in
the struct, *obj is written and you get a NULL pointer dereference.
Same for end_implicit_struct in qapi/qapi-dealloc-visitor.c.
So I think if you remove this checking, you need to do the same in the
visitor implementations as well.
I think NULL pointer input can be used to *validate* input against QAPI
types without building a throw-away object (which entails unbounded
memory allocations for list types). I don't know if the state of this
is "broken", "it never worked", or "works but not tested and never
used". It's definitely not covered by the unit tests.
> if (!err) {
> - visit_type_%(type)s_fields(m, obj ? &(*obj)->%(c_prefix)s%(c_name)s : NULL, &err);
> + visit_type_%(type)s_fields(m, &(*obj)->%(c_prefix)s%(c_name)s, &err);
> error_propagate(errp, err);
> err = NULL;
> visit_end_implicit_struct(m, &err);
> @@ -61,8 +61,8 @@ if (!err) {
> for argname, argentry, optional, structured in parse_args(members):
> if optional:
> ret += mcgen('''
> -visit_start_optional(m, obj ? &(*obj)->%(c_prefix)shas_%(c_name)s : NULL, "%(name)s", &err);
> -if (obj && (*obj)->%(prefix)shas_%(c_name)s) {
> +visit_start_optional(m, &(*obj)->%(c_prefix)shas_%(c_name)s, "%(name)s", &err);
> +if ((*obj)->%(prefix)shas_%(c_name)s) {
> ''',
> c_prefix=c_var(field_prefix), prefix=field_prefix,
> c_name=c_var(argname), name=argname)
> @@ -72,7 +72,7 @@ if (obj && (*obj)->%(prefix)shas_%(c_name)s) {
> ret += generate_visit_struct_body(full_name, argname, argentry)
> else:
> ret += mcgen('''
> -visit_type_%(type)s(m, obj ? &(*obj)->%(c_prefix)s%(c_name)s : NULL, "%(name)s", &err);
> +visit_type_%(type)s(m, &(*obj)->%(c_prefix)s%(c_name)s, "%(name)s", &err);
> ''',
> c_prefix=c_var(field_prefix), prefix=field_prefix,
> type=type_name(argentry), c_name=c_var(argname),
> @@ -121,7 +121,7 @@ visit_start_struct(m, (void **)obj, "%(name)s", name, sizeof(%(name)s), &err);
>
> ret += mcgen('''
> if (!err) {
> - if (!obj || *obj) {
> + if (*obj) {
> visit_type_%(name)s_fields(m, obj, &err);
This is a different problem, and I think a different Coverity error too,
isn't it?
No objections to patch 1-9.
Paolo
> error_propagate(errp, err);
> err = NULL;
> @@ -273,7 +273,7 @@ void visit_type_%(name)s(Visitor *m, %(name)s ** obj, const char *name, Error **
> if (!error_is_set(errp)) {
> visit_start_struct(m, (void **)obj, "%(name)s", name, sizeof(%(name)s), &err);
> if (!err) {
> - if (obj && *obj) {
> + if (*obj) {
> ''',
> name=name)
>
>
next prev parent reply other threads:[~2014-02-07 12:42 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-06 14:29 [Qemu-devel] [PATCH 00/10] qapi: Test coverage & clean up generated code Markus Armbruster
2014-02-06 14:29 ` [Qemu-devel] [PATCH 01/10] tests/qapi-schema: Actually check successful QMP command response Markus Armbruster
2014-02-07 2:09 ` Eric Blake
2014-02-07 7:37 ` Markus Armbruster
2014-02-06 14:29 ` [Qemu-devel] [PATCH 02/10] tests/qapi-schema: Cover optional command arguments Markus Armbruster
2014-02-07 2:30 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 03/10] tests/qapi-schema: Cover simple argument types Markus Armbruster
2014-02-07 2:32 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 04/10] tests/qapi-schema: Cover anonymous union types Markus Armbruster
2014-02-07 2:35 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 05/10] tests/qapi-schema: Cover complex types with base Markus Armbruster
2014-02-07 2:38 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 06/10] tests/qapi-schema: Cover union " Markus Armbruster
2014-02-07 2:40 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 07/10] tests/qapi-schema: Cover flat union types Markus Armbruster
2014-02-07 2:51 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 08/10] qapi: Drop nonsensical header guard in generated qapi-visit.c Markus Armbruster
2014-02-07 2:52 ` Eric Blake
2014-02-06 14:29 ` [Qemu-devel] [PATCH 09/10] qapi: Drop unused code in qapi-commands.py Markus Armbruster
2014-02-07 2:56 ` Eric Blake
2014-02-06 14:30 ` [Qemu-devel] [PATCH 10/10] qapi: Clean up null checking in generated visitors Markus Armbruster
2014-02-07 3:10 ` Eric Blake
2014-02-07 7:34 ` Markus Armbruster
2014-02-07 12:42 ` Paolo Bonzini [this message]
2014-02-07 14:23 ` Markus Armbruster
2014-02-07 14:45 ` Paolo Bonzini
2014-02-10 13:29 ` Markus Armbruster
2014-02-11 9:06 ` Paolo Bonzini
2014-02-11 12:35 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F4D4B0.4010307@redhat.com \
--to=pbonzini@redhat.com \
--cc=aliguori@amazon.com \
--cc=armbru@redhat.com \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.