Re: [Qemu-devel] [PING 0.14] Missing patches (mostly fixes)

[Luiz Capitulino]

On Fri, 04 Feb 2011 18:36:39 +0100
Stefan Weil <address@hidden> wrote:

> Am 04.02.2011 18:21, schrieb Anthony Liguori:
> > On 02/04/2011 11:18 AM, Stefan Weil wrote:
> >> Am 04.02.2011 16:27, schrieb Markus Armbruster:
> >>> Anthony Liguori <address@hidden> writes:
> >>>
> >>>> On 02/02/2011 01:28 PM, Stefan Weil wrote:
> >>> [...]
> >>>>> [PATCH 1/3] tests: Fix two memory leaks
> >>>>> (http://patchwork.ozlabs.org/patch/79945/)
> >>>
> >>>>> [PATCH 2/3] check-qdict: Fix possible crash
> >>>>> (http://patchwork.ozlabs.org/patch/79946/)
> >>>>
> >>>> Luiz
> >>>
> >>> I wouldn't bother with the second one for 0.14. Yes, we're reading
> >>> lines from a file with %s, but it's a fixed file with known 
> >>> contents, no
> >>> long lines, and we're reading it in a test program only developers ever
> >>> use.
> >>>
> >>> As to the first one, Luiz has never touched that file. Neither have I,
> >>> and it's not obvious to me why it should go into 0.14.
> >>>
> >>> [...]
> >>
> >> Even if the current code does not result in a real bug at the moment,
> >> it should get fixed:
> >>
> >> * Using tools like cppcheck (or others) to find bugs is good,
> >>   because it finds bugs which are important.
> >>   Sorting out "unimportant" bugs from the results wastes time
> >>   which could be invested better, and this waste of time lasts
> >>   forever until the "unimportant" bug will be fixed. The sooner
> >>   you fix it, the better it is.
> >
> > No, this is not a good use of time.  I've said multiple times in the 
> > past, I'm not interested in implementing work arounds for false 
> > positives in static analysis tools.
> >
> > We have enough real problems to fix, we don't need to waste cycles on 
> > psuedo problems.
> >
> > Regards,
> >
> > Anthony Liguori
> 
> Hi Anthony,
> 
> please accept that even if you said something multiple times,
> other people might have a different point of view.
> QEMU is team work, isn't it?
> 
> Both positives are correct, there was no false positive:
> 
> Reading strings from external files into limited memory
> without limiting their length is bad.

This wasn't denied, what Markus said is that this is test code and
thus it isn't high priority for the (now released) 0.14 release.

> Even if it works with
> some input data, this kind of programming will be copied
> by novice programmers and used with data which is critical.

OMG, are they copying code from qemu?!

> 
> In the second case, it might be a philosophical question
> whether resources like memory or files should be released
> explicitly. I tend to say yes, other people say no because the
> OS will release them automatically when the program terminates.
> But there is no doubt that the tool which says there is a leak
> is right.
> 
> Regards,
> Stefan Weil
> 
>