From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=60092 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PlPam-0001ZY-KC for qemu-devel@nongnu.org; Fri, 04 Feb 2011 12:37:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PlPah-0008HX-Qb for qemu-devel@nongnu.org; Fri, 04 Feb 2011 12:37:05 -0500 Received: from moutng.kundenserver.de ([212.227.17.10]:52853) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PlPah-0008HM-Cm for qemu-devel@nongnu.org; Fri, 04 Feb 2011 12:37:03 -0500 Message-ID: <4D4C3927.6090400@mail.berlios.de> Date: Fri, 04 Feb 2011 18:36:39 +0100 From: Stefan Weil MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PING 0.14] Missing patches (mostly fixes) References: <4D412CF0.30706@redhat.com> <4D49B04F.80201@mail.berlios.de> <4D4BF160.9040500@codemonkey.ws> <4D4C34E6.7070008@mail.berlios.de> <4D4C35B2.9010801@codemonkey.ws> In-Reply-To: <4D4C35B2.9010801@codemonkey.ws> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: Kevin Wolf , Anthony Liguori , "Michael S. Tsirkin" , qemu-devel , Riku Voipio , Alexander Graf , Markus Armbruster , Blue Swirl , Gerd Hoffmann , Paolo Bonzini Am 04.02.2011 18:21, schrieb Anthony Liguori: > On 02/04/2011 11:18 AM, Stefan Weil wrote: >> Am 04.02.2011 16:27, schrieb Markus Armbruster: >>> Anthony Liguori writes: >>> >>>> On 02/02/2011 01:28 PM, Stefan Weil wrote: >>> [...] >>>>> [PATCH 1/3] tests: Fix two memory leaks >>>>> (http://patchwork.ozlabs.org/patch/79945/) >>> >>>>> [PATCH 2/3] check-qdict: Fix possible crash >>>>> (http://patchwork.ozlabs.org/patch/79946/) >>>> >>>> Luiz >>> >>> I wouldn't bother with the second one for 0.14. Yes, we're reading >>> lines from a file with %s, but it's a fixed file with known >>> contents, no >>> long lines, and we're reading it in a test program only developers ever >>> use. >>> >>> As to the first one, Luiz has never touched that file. Neither have I, >>> and it's not obvious to me why it should go into 0.14. >>> >>> [...] >> >> Even if the current code does not result in a real bug at the moment, >> it should get fixed: >> >> * Using tools like cppcheck (or others) to find bugs is good, >> because it finds bugs which are important. >> Sorting out "unimportant" bugs from the results wastes time >> which could be invested better, and this waste of time lasts >> forever until the "unimportant" bug will be fixed. The sooner >> you fix it, the better it is. > > No, this is not a good use of time. I've said multiple times in the > past, I'm not interested in implementing work arounds for false > positives in static analysis tools. > > We have enough real problems to fix, we don't need to waste cycles on > psuedo problems. > > Regards, > > Anthony Liguori Hi Anthony, please accept that even if you said something multiple times, other people might have a different point of view. QEMU is team work, isn't it? Both positives are correct, there was no false positive: Reading strings from external files into limited memory without limiting their length is bad. Even if it works with some input data, this kind of programming will be copied by novice programmers and used with data which is critical. In the second case, it might be a philosophical question whether resources like memory or files should be released explicitly. I tend to say yes, other people say no because the OS will release them automatically when the program terminates. But there is no doubt that the tool which says there is a leak is right. Regards, Stefan Weil