All of lore.kernel.org
 help / color / mirror / Atom feed
From: Martin Peres <martin.peres@linux.intel.com>
To: Dave Gordon <david.s.gordon@intel.com>, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 1/7] device: prevent a NULL pointer dereference in __intel_peek_fd
Date: Tue, 16 Feb 2016 13:09:13 +0200	[thread overview]
Message-ID: <56C30359.3060601@linux.intel.com> (raw)
In-Reply-To: <56C2E3AA.5080203@intel.com>

On 16/02/16 10:54, Dave Gordon wrote:
> On 15/02/16 15:56, Martin Peres wrote:
>> On 15/02/16 15:47, Dave Gordon wrote:
>>> On 15/02/16 13:40, Martin Peres wrote:
>>>> On 15/02/16 14:24, Dave Gordon wrote:
>>>>> On 12/02/16 16:31, Martin Peres wrote:
>>>>>> This is not a big issue to return -1 since the only codepath that
>>>>>> uses
>>>>>> it is for display purposes.
>>>>>>
>>>>>> Caught by Klockwork.
>>>>>>
>>>>>> Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
>>>>>> ---
>>>>>>   src/intel_device.c | 5 ++++-
>>>>>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/src/intel_device.c b/src/intel_device.c
>>>>>> index 54c1443..35e652a 100644
>>>>>> --- a/src/intel_device.c
>>>>>> +++ b/src/intel_device.c
>>>>>> @@ -650,7 +650,10 @@ int __intel_peek_fd(ScrnInfoPtr scrn)
>>>>>>       dev = intel_device(scrn);
>>>>>>       assert(dev && dev->fd != -1);
>>>>>
>>>>> Doesn't Klocwork recognise the assert() above?
>>>>> I thought that would tell it that dev can't be NULL.
>>>>
>>>> It does not, I had to close many false positives related to this...
>>>
>>> Hmmm .. elsewhere (e.g. [4/7]) you have /added/ an assert, which I
>>> thought must be so that Klocwork stops complaining that something might
>>> be NULL ... maybe it can't handle the composite assertion? Does it
>>> silence the complaint if you change:
>>>      assert(dev && dev->fd != -1);
>>> into:
>>>      assert(dev);
>>>      assert(dev->fd != -1);
>>> ?
>>
>> Sure, I added an assert, but not to silence patchwork, just to make sure
>> we have no problem. I cannot run klokwork myself and my goal was not to
>> silence but instead to check the reported issues.
>>
>> David is right, I think Klokwork only cares about runtime checks and
>> wants to make sure that we never de-reference a NULL pointer.
>>
>> Martin
>
> Klocwork is trying (by static analysis) to find all reachable code, with
> all possible parameter values at each point. It's configured with
> various checkers that examine each expression reached for things such as
> dereferencing a possibly-NULL pointer, or indexing beyond the bounds of
> an array, or integer overflow, or many other things ...
>
> The standard definition of assert() is something like:
>
>      #define assert(x) do { if(!(x)) abort(); } while (0)
>
> and Klocwork knows that abort() doesn't return, so in the block
>
>      dev = intel_device(scrn);
>      assert(dev);
>      return dev->fd;
>
> it can deduce that the 'return' is reached only if the abort() was not,
> hence only if 'dev' is non-NULL. Therefore, this doesn't produce a
> complaint about a possibly-NULL pointer, because Klocwork knows it isn't
> because of the assert().
>
> Of course there are potentially multiple definitions of assert(),
> typically including a null one, for production code, and a debug version
> that gives more detail. So the usual thing is to ensure that there's a
> Klocwork-specific version that allows KW to do the analysis above, even
> if that version isn't something you would ever run:
>
> #if    defined(__KLOCWORK__)
> #define assert(x) do { if(!(x)) abort(); } while (0)
> #elif  defined(NO_DEBUG)
> #define assert(x) do { /* nothing */ ; } while (0)
> #elif  defined(EXTRA_DEBUG)
> #define assert(x) do { my_assert(x, #x, __LINE__, __FILE__); } while (0)
> #else
> // ... etc ...
> #endif

That sounds like a good idea, yes.

Here is the current definition: 
https://cgit.freedesktop.org/xorg/driver/xf86-video-intel/tree/src/sna/xassert.h

>
> If we don't have something like this, Klocwork may not be able to make
> effective deductions about the possible values of variables at specific
> points, so it would be worth checking that we're using macros that it
> understands.

We don't, because there is a test on NDEBUG which Klokwork cannot make 
assumptions on, as David said.

I will hold on to this idea a little as there are talks internally on to 
which static analysis tool needs to be used.

Thanks for your feedback,
Martin
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2016-02-16 11:09 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-12 16:31 [PATCH DDX 0/7] Some issues found with Klockwork Martin Peres
2016-02-12 16:31 ` [PATCH 1/7] device: prevent a NULL pointer dereference in __intel_peek_fd Martin Peres
2016-02-12 16:40   ` Chris Wilson
2016-02-15 12:24   ` Dave Gordon
2016-02-15 13:40     ` Martin Peres
2016-02-15 13:47       ` Dave Gordon
2016-02-15 15:56         ` Martin Peres
2016-02-16  8:54           ` Dave Gordon
2016-02-16 11:09             ` Martin Peres [this message]
2016-02-15 13:43     ` David Weinehall
2016-02-15 14:08       ` Dave Gordon
2016-02-12 16:31 ` [PATCH 2/7] display: prevent a NULL pointer dereference in intel_set_scanout_pixmap Martin Peres
2016-02-12 17:34   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 3/7] sna: check for NULL before dereferencing a pointer Martin Peres
2016-02-12 16:48   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 4/7] sna: assert a pointer is non-NULL before dereferencing it Martin Peres
2016-02-12 16:42   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 5/7] sna/cursor: add an assert on cursor->image Martin Peres
2016-02-12 16:47   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 6/7] sna_video_sprite: add asserts to catch invalid pipe# Martin Peres
2016-02-12 16:45   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 7/7] sna: add an assert in the lengthy sna_drawable_use_bo Martin Peres
2016-02-12 16:45   ` Chris Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56C30359.3060601@linux.intel.com \
    --to=martin.peres@linux.intel.com \
    --cc=david.s.gordon@intel.com \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.