On 3/9/18 4:50 AM, Langer, Christoph wrote:
Hi Chris,
Secondly, it doesn't accept the assert as length check and complains:
fixed_size_dest: You might overrun the 17-character fixed-size string this-
_name by copying name without checking the length.
Agreed that the assert is not a length check in product builds. However,
the only caller has a length check. Have you tried moving this length
check into set_name() and see if the problem goes away? Although I don't
suggest that as a fix. Just curious as to what the result would be.
When doing a length check in set_name(), coverity would be pleased. But still
we'd have to handle length violations by either guaranteeing or returning some
error return code, or quietly truncating. But you say you don't suggest it as
fix anyway...
BTW, I just realized I had been ignoring the set_arg() changes all this
time and focused on set_name(). So if any of the complaints are unique
to set_arg() please let me know.
No, nothing unique.
And, 3rd, it considers the risk as elevated:
parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
Is this a complaint about "name" being a source argument to strcpy(). If
so, I don't get this one. How are you going to copy "name" without
specifying it as an argument to something (strcpy, strncpy, memcpy,
etc). Besides, it is being passed to strcpy as a const argument. Makes
me wonder if adding const to the parameter declarations for both
set_name() and enqueue() would help.
I think coverity just considers this finding as elevated because the input data
isn't something static from inside the method but comes in as argument.
In my opinion the points are valid, because in opt builds there would be no
length check.
But there is a length check in the caller. Does coverity not see checks up the
call chain?
Obviously not.
I really think it would be easiest to go to my proposed patch. And it doesn't
come with much cost and the place probably isn't performance relevant.
I'm not worried about performance. To me it has more to do with taking
easily to read code and changing it into something that someone would
stare at for a bit before figuring out what it's doing, and then ask
"Why so complicated?". Coverity is suppose to help us make our code
better. I don't see that being the case here. If in the end your changes
are the simplest approach to quieting coverity, then I guess that's what
we should go with. However, I'm still not convinced we really fully why
converity is not happy with a strcpy that can be statically shown to be
safe. Is is a coverity bug? Is there a call path we are missing?
Something else that makes it hard for coverity to statically check this?
That's one reason I'd like to see what happens if a check is put
directly in set_name.
OK, so let me summarize:
The code as it is right now has a little issue - which isn't obvious at a quick
glance by the way.
It can be fixed like I suggested. This would add two lines of code at each
place and one can argue about how easy it is to understand. To me it seems as
understandable as it was before - but I'm probably a bit concerned here.
In terms of readability, I was referring back to the original code that
just had the strlen. It was the original coverity fix to that code that
introduced readability issue. You aren't really doing much to make it
less readable.
I can suggest an alternative which might be easier to read:
http://cr.openjdk.java.net/~clanger/webrevs/8199010.1/ It comes at the cost of
2 calls to strlen() in dbg builds but it has one line of code less and might be
more straightforward to understand.
All larger refactoring of set_name() and set_arg() is beyond the scope of my
change.
I like this version better, although it doesn't change my opinion that
this is still all jumping through hoops to get coverity to stop
complaining about something that is perfectly fine.
Now I'd really like if you could accept one of my 2 proposals, given that also
Thomas and David think it's ok. I want to get this done now. 😊 Maybe you can
even sponsor it...
Yeah, I'm ok with the change. I've said my peace and don't just want to
get in the way of a simple fix. Yes, I can also sponsor it for you.
cheers,
Chris
Thanks & Best regards
Christoph