qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PING 0.14] Missing patches (mostly fixes)

From: Stefan Weil
Subject: Re: [Qemu-devel] [PING 0.14] Missing patches (mostly fixes)
Date: Fri, 04 Feb 2011 18:36:39 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Iceowl/1.0b1 Icedove/3.0.11 
Am 04.02.2011 18:21, schrieb Anthony Liguori:

On 02/04/2011 11:18 AM, Stefan Weil wrote:

Am 04.02.2011 16:27, schrieb Markus Armbruster:

Anthony Liguori <address@hidden> writes:


On 02/02/2011 01:28 PM, Stefan Weil wrote:

[...]

[PATCH 1/3] tests: Fix two memory leaks
(http://patchwork.ozlabs.org/patch/79945/)



[PATCH 2/3] check-qdict: Fix possible crash
(http://patchwork.ozlabs.org/patch/79946/)


Luiz


I wouldn't bother with the second one for 0.14. Yes, we're reading
lines from a file with %s, but it's a fixed file with known contents, no 
long lines, and we're reading it in a test program only developers ever
use.

As to the first one, Luiz has never touched that file. Neither have I,
and it's not obvious to me why it should go into 0.14.

[...]


Even if the current code does not result in a real bug at the moment,
it should get fixed:

* Using tools like cppcheck (or others) to find bugs is good,
  because it finds bugs which are important.
  Sorting out "unimportant" bugs from the results wastes time
  which could be invested better, and this waste of time lasts
  forever until the "unimportant" bug will be fixed. The sooner
  you fix it, the better it is.
No, this is not a good use of time. I've said multiple times in the past, I'm not interested in implementing work arounds for false positives in static analysis tools.
We have enough real problems to fix, we don't need to waste cycles on psuedo problems. 

Regards,

Anthony Liguori


Hi Anthony,

please accept that even if you said something multiple times,
other people might have a different point of view.
QEMU is team work, isn't it?

Both positives are correct, there was no false positive:

Reading strings from external files into limited memory
without limiting their length is bad. Even if it works with
some input data, this kind of programming will be copied
by novice programmers and used with data which is critical.

In the second case, it might be a philosophical question
whether resources like memory or files should be released
explicitly. I tend to say yes, other people say no because the
OS will release them automatically when the program terminates.
But there is no doubt that the tool which says there is a leak
is right.

Regards,
Stefan Weil
reply via email to
[Prev in Thread] Current Thread [Next in Thread]