From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 20:24:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C9BAB577 for ; Fri, 25 Apr 2014 20:24:55 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id A561512B8 for ; Fri, 25 Apr 2014 20:24:55 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 0BD7F3AE82 for ; Fri, 25 Apr 2014 13:24:44 -0700 (PDT) From: "Ronald F. Guilmette" To: "freebsd-security\@freebsd.org security" Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? In-Reply-To: <86zjj9mivi.fsf@nine.des.no> Date: Fri, 25 Apr 2014 13:24:44 -0700 Message-ID: <32060.1398457484@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:24:55 -0000 In message <86zjj9mivi.fsf@nine.des.no>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: >Ben Laurie writes: >> Dag-Erling Sm=C3=B8rgrav writes: >> > https://en.wikipedia.org/wiki/Halting_problem >> Curious what the halting problem can tell us about finding/fixing bugs? > >Some participants in this thread claim that there is no such thing as a >false positive from a static analyzer. I suppose that you might possibly be referring to me. Assuming so, I would respond as follows... Sir, I believe that you may have misconstrued my comments. I'll should probably go back now and look at exactly what I may have said, and try to find how that could have been interpreted in this way, however I do know that I did attempt to make the point that (for example) a warning saying that there is no return statement at the end of a function when in fact there is no return statement at the end of said function is not in any sense a "false positive". I still stand by that assertion, which I believe is self-evident. Separately, a code example of the following general form was discussed: if (condition) variable = value1; if (!condition) variable = value2; use (variable); It was noted that code of this form can generate a "false positive" warning, from some or many code analyzers, to the effect that "variable" may be used while in an "uninitialized" state. I agree entirely that, given code of the above form, the variable will never in fact be used while in an uninitialized state, and that thus, any such warning is rather unambiguously "false". I don't believe that I suggested otherwise. I did however note that the warning in such cases may be trivially quieted by the addition of an (unconditional) initialization of "variable" somewhere prior to the code in question. I did that in response to an assertion that eliminating such a warning might be in some sense "too hard", even though the party or parties to which such an assertion might apply was not specified. >A corollary of the halting problem... Although this interesting digression may have something to do with either comments that were made, by someone, or to your interpretation of comments that may have been made, by either me or someone else, I am not persuaded that it has anything at all to do with the two specific (and self-evident?) points that I made earlier, and that I have just reiterated again above. Regards, rfg