Hi Tamas: We currently are using Coverity for static scans. There’s a Github action/workflow that runs weekly (Sundays) on the main branch (https://github.com/MapServer/MapServer/actions/workflows/coverity-scan.yml) - although it failed yesterday owing to upgrades on the Coverity side of things. I need to read through the changes to understand what we need to change in our workflow. Obviously Coverity didn’t catch this particular problem. Having some overlap using separate tools might not be a bad thing. --Steve
From: MapServer-dev <[email protected]> On Behalf Of Tamas Szekeres Sent: Monday, February 14, 2022 10:07 AM To: [email protected] Subject: Re: [mapserver-dev] Mapserver assertion handling causing potential crashes This message may be from an external email source. Do not select links or open attachments unless verified. Report all suspicious emails to Minnesota IT Services Security Operations Center. ________________________________ As far as I can see such kind of issues can easily be detected by a static code analyzer tool like this: https://sonarcloud.io/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsonarcloud.io%2F&data=04%7C01%7Csteve.lime%40state.mn.us%7C1fefb794372b41efde2308d9efd40348%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637804517455122173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PdHAdrscwD6OykPMrEZBAJlmiy86D2v7jVODoJalCko%3D&reserved=0> This seems to be free of use for any open source projects. What do you think using such tools regularly as part of the continuous integration? Best regards, Tamas Tamas Szekeres <[email protected]<mailto:[email protected]>> ezt írta (időpont: 2022. febr. 12., Szo, 21:26): Even, Thank you for the fix. I agree that assert does have it's own purpose (when debugging), but the code should never expect that assert will do anything to prevent the code to continue the execution (like what throwing an exception would do). So dereferencing a null pointer in the subsequent code without checking the pointer against null is prohibited. Best regards, Tamas Even Rouault <[email protected]<mailto:[email protected]>> ezt írta (időpont: 2022. febr. 12., Szo, 20:25): Hopefully https://github.com/MapServer/MapServer/pull/6477<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMapServer%2FMapServer%2Fpull%2F6477&data=04%7C01%7Csteve.lime%40state.mn.us%7C1fefb794372b41efde2308d9efd40348%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637804517455122173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aEUqheVdwCvJCKv1%2FcxRQLadND3%2Bw%2FBXzDSrIzmFgro%3D&reserved=0> should fix that to use or not to use assert(), and where, is one of the many debates for which devs will have different opinions : https://stackoverflow.com/questions/1081409/why-should-i-use-asserts<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F1081409%2Fwhy-should-i-use-asserts&data=04%7C01%7Csteve.lime%40state.mn.us%7C1fefb794372b41efde2308d9efd40348%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637804517455122173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NEfqfY3R9dyHf9PGzqgWfPhTRcexJ5EqPj4KwcYJGoE%3D&reserved=0> . I'd say assert() are supposed to be used for conditions you don't anticipate to happen in practice and thus for which you don't have a plan if they occur (a good reason is because you can't test it and thus the error handling might be broken because untested). Of course practice sometimes/often later contradicts your theories, as the impossible has a trend to occur more often than you'd like :-) Even Le 12/02/2022 à 19:49, Steve Lime a écrit : ert( layer->layerinfo != N -- http://www.spatialys.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.spatialys.com%2F&data=04%7C01%7Csteve.lime%40state.mn.us%7C1fefb794372b41efde2308d9efd40348%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637804517455122173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=X%2BKdBNOzHTRmpNiCch6pMzvLTLWPsx%2B9RW0WbSvcvnQ%3D&reserved=0> My software is free, but my time generally not. _______________________________________________ MapServer-dev mailing list [email protected]<mailto:[email protected]> https://lists.osgeo.org/mailman/listinfo/mapserver-dev<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.osgeo.org%2Fmailman%2Flistinfo%2Fmapserver-dev&data=04%7C01%7Csteve.lime%40state.mn.us%7C1fefb794372b41efde2308d9efd40348%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637804517455122173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kIpkbJOYs1jZZL9cb2tTYJzQDKA6SK%2BADhwaKYy%2Fe4s%3D&reserved=0>
_______________________________________________ MapServer-dev mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-dev
