* [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report @ 2019-04-22 7:24 Wu, Hao A 2019-04-22 14:40 ` Michael D Kinney 0 siblings, 1 reply; 6+ messages in thread From: Wu, Hao A @ 2019-04-22 7:24 UTC (permalink / raw) To: devel; +Cc: Hao Wu, Ard Biesheuvel, Michael D Kinney, Liming Gao, Jian J Wang After commit 57df17fe26, some static check reports suspicous NULL pointer deference at line: Entry->MachineType = Entry->Emulator->MachineType; ^^^^^^^^^^^^^^^ within function PeCoffEmuProtocolNotify(). However, 'Entry->Emulator' is guaranteed to have a non-NULL value when previous call to the CoreHandleProtocol() returns EFI_SUCCESS. Thus, in order to please the static checker, this commit will add an ASSERT right before the false-positive NULL pointer dereference report. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- MdeModulePkg/Core/Dxe/Image/Image.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c b/MdeModulePkg/Core/Dxe/Image/Image.c index 08306a73fd..546fa96eee 100644 --- a/MdeModulePkg/Core/Dxe/Image/Image.c +++ b/MdeModulePkg/Core/Dxe/Image/Image.c @@ -166,6 +166,13 @@ PeCoffEmuProtocolNotify ( (VOID **)&Entry->Emulator ); ASSERT_EFI_ERROR (Status); + // + // When the above CoreHandleProtocol() call returns with EFI_SUCCESS, + // 'Entry->Emulator' is guaranteed to have a non-NULL value. + // The below ASSERT is for addressing a false positive NULL pointer + // dereference issue raised from static analysis. + // + ASSERT (Entry->Emulator != NULL) Entry->MachineType = Entry->Emulator->MachineType; -- 2.12.0.windows.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report 2019-04-22 7:24 [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report Wu, Hao A @ 2019-04-22 14:40 ` Michael D Kinney 2019-04-22 21:25 ` Ard Biesheuvel 0 siblings, 1 reply; 6+ messages in thread From: Michael D Kinney @ 2019-04-22 14:40 UTC (permalink / raw) To: Wu, Hao A, devel@edk2.groups.io, Kinney, Michael D Cc: Ard Biesheuvel, Gao, Liming, Wang, Jian J Hi Hao, I think a cleaner fix to this issues is replace both ASSERT() statements with the following: if (EFI_ERROR (Status) || Entry->Emulator == NULL) { FreePool (Entry); continue; } We do not expect the emulator protocol to disappear between finding the handle and looking up the protocol instance, but if it does, the handle can be skipped without ASSERT(). There are several examples of this style in DriverSupport.c. If we want to avoid the extra Allocate/Free in this error condition, then a local variable can be added to get the emulator protocol instance and only allocate an EMULATOR_ENTRY if the emulator instance is successfully found. Thanks, Mike > -----Original Message----- > From: Wu, Hao A > Sent: Monday, April 22, 2019 12:25 AM > To: devel@edk2.groups.io > Cc: Wu, Hao A <hao.a.wu@intel.com>; Ard Biesheuvel > <ard.biesheuvel@linaro.org>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming > <liming.gao@intel.com>; Wang, Jian J > <jian.j.wang@intel.com> > Subject: [PATCH v1] MdeModulePkg/DxeCore: Please static > checker for false report > > After commit 57df17fe26, some static check reports > suspicous NULL pointer > deference at line: > > Entry->MachineType = Entry->Emulator->MachineType; > ^^^^^^^^^^^^^^^ > > within function PeCoffEmuProtocolNotify(). > > However, 'Entry->Emulator' is guaranteed to have a non- > NULL value when > previous call to the CoreHandleProtocol() returns > EFI_SUCCESS. > > Thus, in order to please the static checker, this > commit will add an > ASSERT right before the false-positive NULL pointer > dereference report. > > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <liming.gao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Signed-off-by: Hao Wu <hao.a.wu@intel.com> > --- > MdeModulePkg/Core/Dxe/Image/Image.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c > b/MdeModulePkg/Core/Dxe/Image/Image.c > index 08306a73fd..546fa96eee 100644 > --- a/MdeModulePkg/Core/Dxe/Image/Image.c > +++ b/MdeModulePkg/Core/Dxe/Image/Image.c > @@ -166,6 +166,13 @@ PeCoffEmuProtocolNotify ( > (VOID **)&Entry->Emulator > ); > ASSERT_EFI_ERROR (Status); > + // > + // When the above CoreHandleProtocol() call > returns with EFI_SUCCESS, > + // 'Entry->Emulator' is guaranteed to have a non- > NULL value. > + // The below ASSERT is for addressing a false > positive NULL pointer > + // dereference issue raised from static analysis. > + // > + ASSERT (Entry->Emulator != NULL) > > Entry->MachineType = Entry->Emulator->MachineType; > > -- > 2.12.0.windows.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report 2019-04-22 14:40 ` Michael D Kinney @ 2019-04-22 21:25 ` Ard Biesheuvel 2019-04-22 21:53 ` Michael D Kinney 0 siblings, 1 reply; 6+ messages in thread From: Ard Biesheuvel @ 2019-04-22 21:25 UTC (permalink / raw) To: Kinney, Michael D Cc: Wu, Hao A, devel@edk2.groups.io, Gao, Liming, Wang, Jian J On Mon, 22 Apr 2019 at 16:41, Kinney, Michael D <michael.d.kinney@intel.com> wrote: > > Hi Hao, > > I think a cleaner fix to this issues is replace both > ASSERT() statements with the following: > > if (EFI_ERROR (Status) || Entry->Emulator == NULL) { > FreePool (Entry); > continue; > } > > We do not expect the emulator protocol to disappear between > finding the handle and looking up the protocol instance, > but if it does, the handle can be skipped without ASSERT(). > > There are several examples of this style in DriverSupport.c. > > If we want to avoid the extra Allocate/Free in this error > condition, then a local variable can be added to get the > emulator protocol instance and only allocate an > EMULATOR_ENTRY if the emulator instance is successfully > found. > Is there any way we can #define the OUT modifier to something the static analyzer understands? (Which static analyzer is this btw?) Surely, we are not the only project dealing with pointers that are initialized by reference. Adding code to please the tools should really be the last resort imo. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report 2019-04-22 21:25 ` Ard Biesheuvel @ 2019-04-22 21:53 ` Michael D Kinney 2019-04-22 22:02 ` [edk2-devel] " Ard Biesheuvel 0 siblings, 1 reply; 6+ messages in thread From: Michael D Kinney @ 2019-04-22 21:53 UTC (permalink / raw) To: Ard Biesheuvel, Kinney, Michael D Cc: Wu, Hao A, devel@edk2.groups.io, Gao, Liming, Wang, Jian J Ard, This seems to be a common limitation seen in some static analyzers. We have not found a workaround that does not involve code changes to quiet the false positives. For this specific case, I think the code change I suggest is correct. Best regards, Mike > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] > Sent: Monday, April 22, 2019 2:26 PM > To: Kinney, Michael D <michael.d.kinney@intel.com> > Cc: Wu, Hao A <hao.a.wu@intel.com>; > devel@edk2.groups.io; Gao, Liming > <liming.gao@intel.com>; Wang, Jian J > <jian.j.wang@intel.com> > Subject: Re: [PATCH v1] MdeModulePkg/DxeCore: Please > static checker for false report > > On Mon, 22 Apr 2019 at 16:41, Kinney, Michael D > <michael.d.kinney@intel.com> wrote: > > > > Hi Hao, > > > > I think a cleaner fix to this issues is replace both > > ASSERT() statements with the following: > > > > if (EFI_ERROR (Status) || Entry->Emulator == > NULL) { > > FreePool (Entry); > > continue; > > } > > > > We do not expect the emulator protocol to disappear > between > > finding the handle and looking up the protocol > instance, > > but if it does, the handle can be skipped without > ASSERT(). > > > > There are several examples of this style in > DriverSupport.c. > > > > If we want to avoid the extra Allocate/Free in this > error > > condition, then a local variable can be added to get > the > > emulator protocol instance and only allocate an > > EMULATOR_ENTRY if the emulator instance is > successfully > > found. > > > > Is there any way we can #define the OUT modifier to > something the > static analyzer understands? (Which static analyzer is > this btw?) > > Surely, we are not the only project dealing with > pointers that are > initialized by reference. Adding code to please the > tools should > really be the last resort imo. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report 2019-04-22 21:53 ` Michael D Kinney @ 2019-04-22 22:02 ` Ard Biesheuvel 2019-04-22 23:14 ` Andrew Fish 0 siblings, 1 reply; 6+ messages in thread From: Ard Biesheuvel @ 2019-04-22 22:02 UTC (permalink / raw) To: edk2-devel-groups-io, Kinney, Michael D Cc: Wu, Hao A, Gao, Liming, Wang, Jian J On Mon, 22 Apr 2019 at 23:53, Michael D Kinney <michael.d.kinney@intel.com> wrote: > > Ard, > > This seems to be a common limitation seen in some > static analyzers. We have not found a workaround > that does not involve code changes to quiet the > false positives. > > For this specific case, I think the code change I > suggest is correct. > I agree that the change is correct, and isn't that intrusive in this particular case, so I don't have any objections to it. I was just thinking aloud whether the IN vs OUT modifiers could be put to use here. There are some examples in Linux of the patten #ifdef __CHECKER__ #define ... #else #define ... #endif where __CHECKER__ is only set by the 'sparse' tool, which is basically a combination of a static checker with a more pedantic coding style checker. I guess in our case, we'dl have to cater for multiple build environments and more than one static checker, so this is probably not as easy to achieve, unfortunately. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report 2019-04-22 22:02 ` [edk2-devel] " Ard Biesheuvel @ 2019-04-22 23:14 ` Andrew Fish 0 siblings, 0 replies; 6+ messages in thread From: Andrew Fish @ 2019-04-22 23:14 UTC (permalink / raw) To: devel, Ard Biesheuvel; +Cc: Mike Kinney, Wu, Hao A, Gao, Liming, Wang, Jian J > On Apr 22, 2019, at 3:02 PM, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > > On Mon, 22 Apr 2019 at 23:53, Michael D Kinney > <michael.d.kinney@intel.com> wrote: >> >> Ard, >> >> This seems to be a common limitation seen in some >> static analyzers. We have not found a workaround >> that does not involve code changes to quiet the >> false positives. >> >> For this specific case, I think the code change I >> suggest is correct. >> > > I agree that the change is correct, and isn't that intrusive in this > particular case, so I don't have any objections to it. > > I was just thinking aloud whether the IN vs OUT modifiers could be put > to use here. There are some examples in Linux of the patten > > #ifdef __CHECKER__ > #define ... > #else > #define ... > #endif > > where __CHECKER__ is only set by the 'sparse' tool, which is basically > a combination of a static checker with a more pedantic coding style > checker. > > I guess in our case, we'dl have to cater for multiple build > environments and more than one static checker, so this is probably not > as easy to achieve, unfortunately. > Ard, This would be a really good item to put on our longer term list of enhancements. Thanks, Andrew Fish > > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-04-22 23:14 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-04-22 7:24 [PATCH v1] MdeModulePkg/DxeCore: Please static checker for false report Wu, Hao A 2019-04-22 14:40 ` Michael D Kinney 2019-04-22 21:25 ` Ard Biesheuvel 2019-04-22 21:53 ` Michael D Kinney 2019-04-22 22:02 ` [edk2-devel] " Ard Biesheuvel 2019-04-22 23:14 ` Andrew Fish
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox