From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Markus Vervier <markus.vervier@x41-dsec.de>
Cc: git@vger.kernel.org
Subject: Re: Covierty Integration / Improvement
Date: Wed, 6 Apr 2022 17:08:37 +0200 (CEST) [thread overview]
Message-ID: <nycvar.QRO.7.76.6.2204061620110.379@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2204052352030.379@tvgsbejvaqbjf.bet>
Team,
On Wed, 6 Apr 2022, Johannes Schindelin wrote:
> On Fri, 1 Apr 2022, Markus Vervier wrote:
>
> > - Could you tell us more about the amount and types of false positives
> > and problems you've faced trying to eliminate them? This will help us
> > to understand the expectations / requirements for a successful
> > integration of Coverity.
>
> From the top of my head, I would estimate about 60-70% of the results to
> be false positives.
>
> As Junio pointed out, we do not consider memory to be leaked in one-shot
> processes where memory is allocated, once, in the equivalent of a
> `main()` function. Sure, we could add a slew of `free()` calls right
> before exiting the process, but that's kind of pointless.
>
> Another major source of false positives is our string data structure,
> which offers a small-ish static, read-only buffer to get started, but
> replaces that with something `malloc()`ed/`realloc()`ed as soon as the
> string is about to be manipulated. Yet Coverity insists that we're
> writing into a read-only buffer, and get out of bounds, which is simply
> not true.
>
> Similar issues are reported with our `strvec` data structure that has
> the same allocation pattern.
>
> Since the false positives outnumber the valid issues reported by
> Coverity, we have not been very eager to sift through new reports.
>
> The list of categories of false positives listed above is not
> exhaustive, of course, but combined with how cumbersome it is to get
> access to the reports (they cannot be viewed anonymously), you get an
> idea why we do not pay all that much attention to Coverity.
I have fixed Git for Windows' Coverity build and started to sift through
the 154 new defects reported as of v2.36.0-rc0.
Sadly, there is now a new class of overwhelming false positives: Coverity
claims that "strbuf_addstr does not [NUL-]terminate", which is of course
false. Specifically, Coverity explains that:
/strbuf.c
296 void strbuf_add(struct strbuf *sb, const void *data, size_t len)
297 {
298 strbuf_grow(sb, len);
1. string_copy: Calling memcpy copies a source string data to sb->buf.
2. string_null_source: The argument sb->buf will not be
null[sic!]-terminated, because either the source string is not
null-terminated, or the length of source string data is greater than
or equal to the size argument len.
299 memcpy(sb->buf + sb->len, data, len);
300 strbuf_setlen(sb, sb->len + len);
301 }
In other words, it misses the fact that `strbuf_setlen()` _does_ set
`sb->buf[sb->len] = '\0'` (I assume that Coverity gets confused by the
`slopbuf` once again).
I stopped after the first 30-40 instances of "String not null terminated"
reports because my time is a bit too expensive to spend on reports like
that. Among the reported issues I looked at, there were two false
positives where Coverity misinterpreted how much space was allocated (and
thought we'd overrun, which we don't), the rest were those NUL-termination
false positives.
Ciao,
Johannes
next prev parent reply other threads:[~2022-04-06 16:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-01 20:49 Covierty Integration / Improvement Markus Vervier
2022-04-03 21:36 ` Junio C Hamano
2022-04-03 23:16 ` Theodore Ts'o
2022-04-04 10:14 ` Ævar Arnfjörð Bjarmason
2022-04-05 22:22 ` Johannes Schindelin
2022-04-05 22:17 ` Johannes Schindelin
2022-04-06 15:08 ` Johannes Schindelin [this message]
2022-04-06 17:55 ` Theodore Ts'o
2022-04-06 20:20 ` Junio C Hamano
2022-04-07 11:49 ` Johannes Schindelin
2022-04-07 7:21 ` Markus Vervier
2022-04-07 11:58 ` Johannes Schindelin
[not found] ` <CAJY0qZLwQJ_6Me1em4X6M=YJb0O2+7rSYeKisLFOGH7_BW3Lww@mail.gmail.com>
[not found] ` <CAJY0qZJaBvwA19PN=Gm4c5gSVqYYBOoVwgF=1mZTNEjmXFSc7A@mail.gmail.com>
2022-05-10 17:46 ` Derek Zimmer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.QRO.7.76.6.2204061620110.379@tvgsbejvaqbjf.bet \
--to=johannes.schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=markus.vervier@x41-dsec.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).