intel-gfx.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
From: Martin Peres <martin.peres@linux.intel.com>
To: Dave Gordon <david.s.gordon@intel.com>, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 1/7] device: prevent a NULL pointer dereference in __intel_peek_fd
Date: Tue, 16 Feb 2016 13:09:13 +0200	[thread overview]
Message-ID: <56C30359.3060601@linux.intel.com> (raw)
In-Reply-To: <56C2E3AA.5080203@intel.com>

On 16/02/16 10:54, Dave Gordon wrote:
> On 15/02/16 15:56, Martin Peres wrote:
>> On 15/02/16 15:47, Dave Gordon wrote:
>>> On 15/02/16 13:40, Martin Peres wrote:
>>>> On 15/02/16 14:24, Dave Gordon wrote:
>>>>> On 12/02/16 16:31, Martin Peres wrote:
>>>>>> This is not a big issue to return -1 since the only codepath that
>>>>>> uses
>>>>>> it is for display purposes.
>>>>>>
>>>>>> Caught by Klockwork.
>>>>>>
>>>>>> Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
>>>>>> ---
>>>>>>   src/intel_device.c | 5 ++++-
>>>>>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/src/intel_device.c b/src/intel_device.c
>>>>>> index 54c1443..35e652a 100644
>>>>>> --- a/src/intel_device.c
>>>>>> +++ b/src/intel_device.c
>>>>>> @@ -650,7 +650,10 @@ int __intel_peek_fd(ScrnInfoPtr scrn)
>>>>>>       dev = intel_device(scrn);
>>>>>>       assert(dev && dev->fd != -1);
>>>>>
>>>>> Doesn't Klocwork recognise the assert() above?
>>>>> I thought that would tell it that dev can't be NULL.
>>>>
>>>> It does not, I had to close many false positives related to this...
>>>
>>> Hmmm .. elsewhere (e.g. [4/7]) you have /added/ an assert, which I
>>> thought must be so that Klocwork stops complaining that something might
>>> be NULL ... maybe it can't handle the composite assertion? Does it
>>> silence the complaint if you change:
>>>      assert(dev && dev->fd != -1);
>>> into:
>>>      assert(dev);
>>>      assert(dev->fd != -1);
>>> ?
>>
>> Sure, I added an assert, but not to silence patchwork, just to make sure
>> we have no problem. I cannot run klokwork myself and my goal was not to
>> silence but instead to check the reported issues.
>>
>> David is right, I think Klokwork only cares about runtime checks and
>> wants to make sure that we never de-reference a NULL pointer.
>>
>> Martin
>
> Klocwork is trying (by static analysis) to find all reachable code, with
> all possible parameter values at each point. It's configured with
> various checkers that examine each expression reached for things such as
> dereferencing a possibly-NULL pointer, or indexing beyond the bounds of
> an array, or integer overflow, or many other things ...
>
> The standard definition of assert() is something like:
>
>      #define assert(x) do { if(!(x)) abort(); } while (0)
>
> and Klocwork knows that abort() doesn't return, so in the block
>
>      dev = intel_device(scrn);
>      assert(dev);
>      return dev->fd;
>
> it can deduce that the 'return' is reached only if the abort() was not,
> hence only if 'dev' is non-NULL. Therefore, this doesn't produce a
> complaint about a possibly-NULL pointer, because Klocwork knows it isn't
> because of the assert().
>
> Of course there are potentially multiple definitions of assert(),
> typically including a null one, for production code, and a debug version
> that gives more detail. So the usual thing is to ensure that there's a
> Klocwork-specific version that allows KW to do the analysis above, even
> if that version isn't something you would ever run:
>
> #if    defined(__KLOCWORK__)
> #define assert(x) do { if(!(x)) abort(); } while (0)
> #elif  defined(NO_DEBUG)
> #define assert(x) do { /* nothing */ ; } while (0)
> #elif  defined(EXTRA_DEBUG)
> #define assert(x) do { my_assert(x, #x, __LINE__, __FILE__); } while (0)
> #else
> // ... etc ...
> #endif

That sounds like a good idea, yes.

Here is the current definition: 
https://cgit.freedesktop.org/xorg/driver/xf86-video-intel/tree/src/sna/xassert.h

>
> If we don't have something like this, Klocwork may not be able to make
> effective deductions about the possible values of variables at specific
> points, so it would be worth checking that we're using macros that it
> understands.

We don't, because there is a test on NDEBUG which Klokwork cannot make 
assumptions on, as David said.

I will hold on to this idea a little as there are talks internally on to 
which static analysis tool needs to be used.

Thanks for your feedback,
Martin
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2016-02-16 11:09 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-12 16:31 [PATCH DDX 0/7] Some issues found with Klockwork Martin Peres
2016-02-12 16:31 ` [PATCH 1/7] device: prevent a NULL pointer dereference in __intel_peek_fd Martin Peres
2016-02-12 16:40   ` Chris Wilson
2016-02-15 12:24   ` Dave Gordon
2016-02-15 13:40     ` Martin Peres
2016-02-15 13:47       ` Dave Gordon
2016-02-15 15:56         ` Martin Peres
2016-02-16  8:54           ` Dave Gordon
2016-02-16 11:09             ` Martin Peres [this message]
2016-02-15 13:43     ` David Weinehall
2016-02-15 14:08       ` Dave Gordon
2016-02-12 16:31 ` [PATCH 2/7] display: prevent a NULL pointer dereference in intel_set_scanout_pixmap Martin Peres
2016-02-12 17:34   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 3/7] sna: check for NULL before dereferencing a pointer Martin Peres
2016-02-12 16:48   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 4/7] sna: assert a pointer is non-NULL before dereferencing it Martin Peres
2016-02-12 16:42   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 5/7] sna/cursor: add an assert on cursor->image Martin Peres
2016-02-12 16:47   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 6/7] sna_video_sprite: add asserts to catch invalid pipe# Martin Peres
2016-02-12 16:45   ` Chris Wilson
2016-02-12 16:31 ` [PATCH 7/7] sna: add an assert in the lengthy sna_drawable_use_bo Martin Peres
2016-02-12 16:45   ` Chris Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56C30359.3060601@linux.intel.com \
    --to=martin.peres@linux.intel.com \
    --cc=david.s.gordon@intel.com \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).