| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Apr 2024 13:53:10 +0300 From: Laurent Pinchart <laurent.pinchart@...asonboard.com> To: Ricardo Ribalda <ribalda@...omium.org> Cc: Dan Carpenter <dan.carpenter@...aro.org>, Martin Tuma <martin.tuma@...iteqautomotive.com>, Mauro Carvalho Chehab <mchehab@...nel.org>, Hans Verkuil <hverkuil-cisco@...all.nl>, Hugues Fruchet <hugues.fruchet@...s.st.com>, Alain Volmat <alain.volmat@...s.st.com>, Maxime Coquelin <mcoquelin.stm32@...il.com>, Alexandre Torgue <alexandre.torgue@...s.st.com>, Paul Kocialkowski <paul.kocialkowski@...tlin.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Chen-Yu Tsai <wens@...e.org>, Jernej Skrabec <jernej.skrabec@...il.com>, Samuel Holland <samuel@...lland.org>, Sakari Ailus <sakari.ailus@...ux.intel.com>, Thierry Reding <thierry.reding@...il.com>, Jonathan Hunter <jonathanh@...dia.com>, Sowjanya Komatineni <skomatineni@...dia.com>, Luca Ceresoli <luca.ceresoli@...tlin.com>, Matthias Brugger <matthias.bgg@...il.com>, AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>, Hans Verkuil <hverkuil@...all.nl>, Sergey Kozlov <serjk@...up.ru>, Abylay Ospan <aospan@...up.ru>, Ezequiel Garcia <ezequiel@...guardiasur.com.ar>, Dmitry Osipenko <digetx@...il.com>, Stanimir Varbanov <stanimir.k.varbanov@...il.com>, Vikash Garodia <quic_vgarodia@...cinc.com>, Bryan O'Donoghue <bryan.odonoghue@...aro.org>, Bjorn Andersson <andersson@...nel.org>, Konrad Dybcio <konrad.dybcio@...aro.org>, Benjamin Mugnier <benjamin.mugnier@...s.st.com>, Sylvain Petinot <sylvain.petinot@...s.st.com>, Jacopo Mondi <jacopo+renesas@...ndi.org>, Kieran Bingham <kieran.bingham+renesas@...asonboard.com>, Niklas Söderlund <niklas.soderlund+renesas@...natech.se>, Pavel Machek <pavel@....cz>, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, linux-stm32@...md-mailman.stormreply.com, linux-arm-kernel@...ts.infradead.org, linux-staging@...ts.linux.dev, linux-sunxi@...ts.linux.dev, linux-tegra@...r.kernel.org, linux-mediatek@...ts.infradead.org, linux-arm-msm@...r.kernel.org, Oleg Drokin <green@...uxhacker.ru> Subject: Re: [PATCH 00/35] media: Fix coccinelle warning/errors Hi Ricardo, On Wed, Apr 17, 2024 at 06:19:14PM +0200, Ricardo Ribalda wrote: > On Wed, 17 Apr 2024 at 17:51, Laurent Pinchart wrote: > > On Tue, Apr 16, 2024 at 11:47:17AM +0300, Dan Carpenter wrote: > > > In my opinion, it's better to just ignore old warnings. > > > > I agree. Whatever checkers we enable, whatever code we test, there will > > always be false positives. A CI system needs to be able to ignore those > > false positives and only warn about new issues. > > We already have support for that: > https://gitlab.freedesktop.org/linux-media/media-ci/-/tree/main/testdata/static?ref_type=heads Those are manually written filters. Would it be possible to reduce the manual step to flagging something as a false positive, and have a machine build the filters ? > But it would be great if those lists were as small as possible: > > - If we have a lot of warnings, two error messages can be combined and > will scape the filters > eg: > print(AAAA); > print(BBBB); > > AABBBAAB > > - The filters might hide new errors if they are too broad > > > Most of the patches in this series are simple and make a nicer code: > Eg the non return minmax() , > Other patches show real integer overflows. > > Now that the patches are ready, let's bite the bullet and try to > reduce our technical debt. > > > > When code is new the warnings are going to be mostly correct. The > > > original author is there and knows what the code does. Someone has > > > the hardware ready to test any changes. High value, low burden. > > > > > > When the code is old only the false positives are left. No one is > > > testing the code. It's low value, high burden. > > > > > > Plus it puts static checker authors in a difficult place because now > > > people have to work around our mistakes. It creates animosity. > > > > > > Now we have to hold ourselves to a much higher standard for false > > > positives. It sounds like I'm complaining and lazy, right? But Oleg > > > Drokin has told me previously that I spend too much time trying to > > > silence false positives instead of working on new code. He's has a > > > point which is that actually we have limited amount of time and we have > > > to make choices about what's the most useful thing we can do. > > > > > > So what I do and what the zero day bot does is we look at warnings one > > > time and we re-review old warnings whenever a file is changed. > > > > > > Kernel developers are very good at addressing static checker warnings > > > and fixing the real issues... People sometimes ask me to create a > > > database of warnings which I have reviewed but the answer is that > > > anything old can be ignored. As I write this, I've had a thought that > > > instead of a database of false positives maybe we should record a > > > database of real bugs to ensure that the fixes for anything real is > > > applied. -- Regards, Laurent Pinchart
Powered by blists - more mailing lists