Hello everyone,
The ALT Linux Team has recently initiated a focused testing effort on
PostgreSQL, with an emphasis on its security aspects.
As part of this effort, we conducted static analysis using Svace, which raised
some questions regarding the use of the Assert() function.
We were unable to find clear answers in the documentation or previous
discussions and would greatly appreciate your insights,
as these will influence how we approach future patch submissions:
1. General purpose of Assert() function:
- Is the primary purpose of the Assert() function to:
- Inform developers of the assumptions made in the code,
- Facilitate testing of new builds with assertions enabled,
- Accelerate development by temporarily placing assertions where defensive
code may later be required,
- Or does it serve some other purpose?
2. Assertions and defensive code:
We have observed patches where assertions were added to defensive code (e.g.,
[1]) and where defensive code was added to assertions.
Is it generally advisable and encouraged to incorporate defensive code into
assertions' assumptions?
For instance, we encountered cases where a null pointer dereference occurs
immediately after an assertion that the pointer is not null.
In assertion-enabled builds, this results in an assertion failure, while in
non-assert builds, it leads to a dereference, which we aim to avoid.
However, it is unclear to us whether the use of an assertion in such cases
indicates that this flaw is known and will not be addressed specifically,
or if additional protective code should be introduced.
A clearer understanding of whether assertions should signal potential failure
points that might later be rewritten or protected would assist us
in quickly developing fixes for such cases, particularly where we believe the
issue could occur in practice.
3. Approach to fixing flaws:
How should we generally fix the flaws - by adding protection code, or by adding
assertions?
I previously submitted two patches and encountered some confusion based on the
feedback: in one instance,
I added protective code but was asked whether an assertion would suffice [2],
and in another, I added an assertion but was questioned on its necessity, given
that it would cause a failure regardless, which I agreed with [3].
Your guidance on these matters would be invaluable in helping us align our
patch submissions with the community’s best practices.
Thank you in advance for your time and assistance.
1.
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=30aaab26e52144097a1a5bbb0bb66ea1ebc0cb81
2.
https://www.postgresql.org/message-id/e22df993-cdb4-4d0a-b629-42211ebed582%40altlinux.org
3.
https://www.postgresql.org/message-id/6d0323c3-3f5d-4137-af73-98a5ab90e77c%40altlinux.org
--
Best regards,
Alexander Kuznetsov
