On Fri, 04 Feb 2011 18:36:39 +0100 Stefan Weil <w...@mail.berlios.de> wrote:
> Am 04.02.2011 18:21, schrieb Anthony Liguori: > > On 02/04/2011 11:18 AM, Stefan Weil wrote: > >> Am 04.02.2011 16:27, schrieb Markus Armbruster: > >>> Anthony Liguori <anth...@codemonkey.ws> writes: > >>> > >>>> On 02/02/2011 01:28 PM, Stefan Weil wrote: > >>> [...] > >>>>> [PATCH 1/3] tests: Fix two memory leaks > >>>>> (http://patchwork.ozlabs.org/patch/79945/) > >>> > >>>>> [PATCH 2/3] check-qdict: Fix possible crash > >>>>> (http://patchwork.ozlabs.org/patch/79946/) > >>>> > >>>> Luiz > >>> > >>> I wouldn't bother with the second one for 0.14. Yes, we're reading > >>> lines from a file with %s, but it's a fixed file with known > >>> contents, no > >>> long lines, and we're reading it in a test program only developers ever > >>> use. > >>> > >>> As to the first one, Luiz has never touched that file. Neither have I, > >>> and it's not obvious to me why it should go into 0.14. > >>> > >>> [...] > >> > >> Even if the current code does not result in a real bug at the moment, > >> it should get fixed: > >> > >> * Using tools like cppcheck (or others) to find bugs is good, > >> because it finds bugs which are important. > >> Sorting out "unimportant" bugs from the results wastes time > >> which could be invested better, and this waste of time lasts > >> forever until the "unimportant" bug will be fixed. The sooner > >> you fix it, the better it is. > > > > No, this is not a good use of time. I've said multiple times in the > > past, I'm not interested in implementing work arounds for false > > positives in static analysis tools. > > > > We have enough real problems to fix, we don't need to waste cycles on > > psuedo problems. > > > > Regards, > > > > Anthony Liguori > > Hi Anthony, > > please accept that even if you said something multiple times, > other people might have a different point of view. > QEMU is team work, isn't it? > > Both positives are correct, there was no false positive: > > Reading strings from external files into limited memory > without limiting their length is bad. This wasn't denied, what Markus said is that this is test code and thus it isn't high priority for the (now released) 0.14 release. > Even if it works with > some input data, this kind of programming will be copied > by novice programmers and used with data which is critical. OMG, are they copying code from qemu?! > > In the second case, it might be a philosophical question > whether resources like memory or files should be released > explicitly. I tend to say yes, other people say no because the > OS will release them automatically when the program terminates. > But there is no doubt that the tool which says there is a leak > is right. > > Regards, > Stefan Weil > >
