<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 20 Aug 2021 at 11:01, D. Hugh Redelmeier <<a href="mailto:hugh@mimosa.com" target="_blank">hugh@mimosa.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">passert never returns if the test is false.<br>
Coverity Scan doesn't seem to know this.<br>
This leads to false positives in its reports.<br></blockquote><div><br></div><div>Based on other code I've tweaked, I'm pretty sure that coverity grok's passert() being no-return.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
For example, consider these lines from<br>
programs/pluto/ikev1_spdb_struct.c:<br>
<br>
2478 passert(ty < ipsec_attr_val_descs_roof);<br>
2479 vdesc = ipsec_attr_val_descs[ty]; </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
In the latest Coverity Scan run, CID 1496140 claims that the subscript<br>
can be out of bounds because ty might be greater or equal to<br>
ipsec_attr_val_descs_roof. Even though the passert says that it<br>
cannot be.<br></blockquote><div><br></div><div>I don't believe this to be new (I remember looking at this a while ago).</div><div>For whatever reason, coverity isn't buying into:</div><div><span class="gmail-keyword" style="font-weight:700;color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap"> const</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap"> </span><span class="gmail-keyword" style="font-weight:700;color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">unsigned</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap"> </span><span class="gmail-type" style="color:rgb(137,48,171);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">int</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap"> </span><span id="gmail-xref-880990848-0-1" class="gmail-xref gmail-xref-286088352 gmail-xref-defn" style="border-width:1px;border-style:solid;border-color:transparent transparent rgb(204,204,204);color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">ipsec_attr_val_descs_roof</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap"> = </span><span id="gmail-xref-880990824-78-2" class="gmail-xref gmail-xref-280039854" style="border-width:1px;border-style:solid;border-color:transparent transparent rgb(204,204,204);color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">elemsof</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">(</span><span id="gmail-xref-880990987-0-2" class="gmail-xref gmail-xref-286088351" style="border-width:1px;border-style:solid;border-color:transparent transparent rgb(204,204,204);color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">ipsec_attr_val_descs</span><span style="color:rgb(0,0,0);font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;white-space:nowrap">);</span></div><div>being constant and an upper bound.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
This property of passert is indicated by NEVER_RETURNS on the<br>
declaration of llog_passert.<br>
<br>
NEVER_RETURNS expands to <br>
__attribute__ ((noreturn))<br>
if, and only if, GCC_LINT is defined.<br>
<br>
Does Coverity Scan know that GCC_LINT should be defined?<br>
Or is it baffled by the layers of macro expansion?<br>
<br>
Where is Coverity Scan configured? Does it just read the makefiles?<br>
<br>
With a normal build, -DGCC_LINT appears on cc commands. Here's where <br>
GCC_LINT appears in our tree:<br>
<br>
CROSSCOMPILE.sh:21:export USERCOMPILE="-Wl,-elf2flt -DCOMPILER_HAS_NO_PRINTF_LIKE -O3 -g ${PORTDEFINE} -I$PREFIX/arm-elf/inc -L$PREFIX/lib/gcc-lib -DGCC_LINT -Dlinux -D__linux__"<br>
include/lswcdefs.h:38:#ifdef GCC_LINT<br>
mk/config.mk:799:ifeq ($(origin GCC_LINT),undefined)<br>
mk/config.mk:800:GCC_LINT = -DGCC_LINT<br>
mk/config.mk:802:USERLAND_CFLAGS += $(GCC_LINT)<br>
packaging/suse/libreswan.spec:70: USERCOMPILE='-g $(RPM_OPT_FLAGS) -DGCC_LINT' \<br>
packaging/suse/sles10.spec:70: USERCOMPILE='-g $(RPM_OPT_FLAGS) -DGCC_LINT' \<br>
testing/guestbin/makeallways:14: for f4 in "-DGCC_LINT" ; do # GCC_LINT is mandatory<br>
_______________________________________________<br>
Swan-dev mailing list<br>
<a href="mailto:Swan-dev@lists.libreswan.org" target="_blank">Swan-dev@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan-dev" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan-dev</a><br>
</blockquote></div></div>