|
From: | Stefan Weil |
Subject: | Re: [Qemu-devel] [PING 0.14] Missing patches (mostly fixes) |
Date: | Fri, 04 Feb 2011 18:36:39 +0100 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Iceowl/1.0b1 Icedove/3.0.11 |
Am 04.02.2011 18:21, schrieb Anthony Liguori:
On 02/04/2011 11:18 AM, Stefan Weil wrote:Am 04.02.2011 16:27, schrieb Markus Armbruster:Anthony Liguori <address@hidden> writes:On 02/02/2011 01:28 PM, Stefan Weil wrote:[...][PATCH 1/3] tests: Fix two memory leaks (http://patchwork.ozlabs.org/patch/79945/)[PATCH 2/3] check-qdict: Fix possible crash (http://patchwork.ozlabs.org/patch/79946/)LuizI wouldn't bother with the second one for 0.14. Yes, we're readinglines from a file with %s, but it's a fixed file with known contents, nolong lines, and we're reading it in a test program only developers ever use. As to the first one, Luiz has never touched that file. Neither have I, and it's not obvious to me why it should go into 0.14. [...]Even if the current code does not result in a real bug at the moment, it should get fixed: * Using tools like cppcheck (or others) to find bugs is good, because it finds bugs which are important. Sorting out "unimportant" bugs from the results wastes time which could be invested better, and this waste of time lasts forever until the "unimportant" bug will be fixed. The sooner you fix it, the better it is.No, this is not a good use of time. I've said multiple times in the past, I'm not interested in implementing work arounds for false positives in static analysis tools.We have enough real problems to fix, we don't need to waste cycles on psuedo problems.Regards, Anthony Liguori
Hi Anthony, please accept that even if you said something multiple times, other people might have a different point of view. QEMU is team work, isn't it? Both positives are correct, there was no false positive: Reading strings from external files into limited memory without limiting their length is bad. Even if it works with some input data, this kind of programming will be copied by novice programmers and used with data which is critical. In the second case, it might be a philosophical question whether resources like memory or files should be released explicitly. I tend to say yes, other people say no because the OS will release them automatically when the program terminates. But there is no doubt that the tool which says there is a leak is right. Regards, Stefan Weil
[Prev in Thread] | Current Thread | [Next in Thread] |