Date: Wed, 23 Apr 2014 12:06:30 +0200 From: Erik Cederstrand <erik+lists@cederstrand.dk> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> In-Reply-To: <10999.1398215531@server1.tristatelogic.com> References: <10999.1398215531@server1.tristatelogic.com>
index | next in thread | previous in thread | raw e-mail
Den 23/04/2014 kl. 03.12 skrev Ronald F. Guilmette <rfg@tristatelogic.com>: > > In message <20140423010054.2891E143D098@rock.dv.isc.org>, > Mark Andrews <marka@isc.org> wrote: > >> As for the number of CLANG analysis warnings. Clang has false >> positives > > Please define your terms. > > I do imagine that the truth or falsehood of your assertion may depend > quite substantally on what one does or does not consider a "false > positive" in this context. Have a look at the ~10.000 reports at http://scan.freebsd.your.org/freebsd-head/ (unavailable ATM). Silly things are reported like missing return at the end of main() or not free()ing memory two lines before program exit. There are nonsensical reports because the analyzer doesn't detect exit() in a usage() function because usage() is defined in a separate compilation unit, or this: int foo(int y, int z) { int x; if (y == z) { x = 0; } else { if (y != z) { x = 1; } } return x; } warning that x may be uninitialized. Fixing these require considerable effort e.g. improving IPA and adding alpha-remaning support to the analyzer's constraint manager, or would result in unnecessary code churn in FreeBSD just to work around the reports. My best guess is that at least 90% of the reports are either false positives or really silly. Which doesn't mean that the reports are useless, but a lot of time is wasted finding real bugs. Erikhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50CA7E78-BB5E-4872-A272-B7374627EC12>