From owner-freebsd-security@FreeBSD.ORG  Wed Apr 23 10:14:01 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B193E842
 for <freebsd-security@freebsd.org>; Wed, 23 Apr 2014 10:14:01 +0000 (UTC)
Received: from csmtp3.one.com (csmtp3.one.com [91.198.169.23])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 71E911CBA
 for <freebsd-security@freebsd.org>; Wed, 23 Apr 2014 10:14:00 +0000 (UTC)
Received: from [192.168.1.12] (unknown [217.157.7.221])
 by csmtp3.one.com (Postfix) with ESMTPA id C7F5440013835;
 Wed, 23 Apr 2014 10:06:31 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
From: Erik Cederstrand <erik+lists@cederstrand.dk>
In-Reply-To: <10999.1398215531@server1.tristatelogic.com>
Date: Wed, 23 Apr 2014 12:06:30 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk>
References: <10999.1398215531@server1.tristatelogic.com>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
X-Mailer: Apple Mail (2.1874)
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 10:14:01 -0000

Den 23/04/2014 kl. 03.12 skrev Ronald F. Guilmette =
<rfg@tristatelogic.com>:
>=20
> In message <20140423010054.2891E143D098@rock.dv.isc.org>,=20
> Mark Andrews <marka@isc.org> wrote:
>=20
>> As for the number of CLANG analysis warnings.  Clang has false
>> positives
>=20
> Please define your terms.
>=20
> I do imagine that the truth or falsehood of your assertion may depend
> quite substantally on what one does or does not consider a "false
> positive" in this context.

Have a look at the ~10.000 reports at =
http://scan.freebsd.your.org/freebsd-head/ (unavailable ATM). Silly =
things are reported like missing return at the end of main() or not =
free()ing memory two lines before program exit. There are nonsensical =
reports because the analyzer doesn't detect exit() in a usage() function =
because usage() is defined in a separate compilation unit, or this:

int foo(int y, int z) {
   int x;
   if (y =3D=3D z) {
       x =3D 0;
   } else  {
       if (y !=3D z) {
           x =3D 1;
       }
   }
   return x;
}

warning that x may be uninitialized. Fixing these require considerable =
effort e.g. improving IPA and adding alpha-remaning support to the =
analyzer's constraint manager, or would result in unnecessary code churn =
in FreeBSD just to work around the reports.

My best guess is that at least 90% of the reports are either false =
positives or really silly. Which doesn't mean that the reports are =
useless, but a lot of time is wasted finding real bugs.

Erik=