Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Apr 2014 21:38:26 +0100
From:      Ben Laurie <benl@freebsd.org>
To:        "Ronald F. Guilmette" <rfg@tristatelogic.com>
Cc:        "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>
Subject:   Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Message-ID:  <CAG5KPzw_cOfFLX_kn=5DWAX%2Bz%2B9VeXuzo3Q8YekDJG37tDQ_wQ@mail.gmail.com>
In-Reply-To: <32060.1398457484@server1.tristatelogic.com>
References:  <86zjj9mivi.fsf@nine.des.no> <32060.1398457484@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 25 April 2014 21:24, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
> Separately, a code example of the following general form was discussed:
>
>         if (condition) variable = value1;
>         if (!condition) variable = value2;
>         use (variable);
>
> It was noted that code of this form can generate a "false positive"
> warning, from some or many code analyzers, to the effect that "variable"
> may be used while in an "uninitialized" state.  I agree entirely that,
> given code of the above form, the variable will never in fact be used
> while in an uninitialized state, and that thus, any such warning is
> rather unambiguously "false".  I don't believe that I suggested
> otherwise.  I did however note that the warning in such cases may be
> trivially quieted by the addition of an (unconditional) initialization
> of "variable" somewhere prior to the code in question.

But that would then hide the error condition of it being not set to a
new value after initialisation.

One better answer would be to have a way to annotate that after the
two conditionals you assert that |variable| is initialised. Then a
future, smarter static analyzer can attempt to prove you wrong.

>  I did that in
> response to an assertion that eliminating such a warning might be in
> some sense "too hard", even though the party or parties to which such
> an assertion might apply was not specified.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG5KPzw_cOfFLX_kn=5DWAX%2Bz%2B9VeXuzo3Q8YekDJG37tDQ_wQ>