Thread: Coverity Open Source Defect Scan of PostgreSQL

Coverity Open Source Defect Scan of PostgreSQL

From
Ben Chelf
Date:
Hello PostgreSQL Developers,
  I'm the CTO of Coverity, Inc., a company that does static source code 
analysis to look for defects in code. You may have heard of us or of our 
technology from its days at Stanford (the "Stanford Checker"). The 
reason I'm writing is because we have set up a framework internally to 
continually scan open source projects and provide the results of our 
analysis back to the developers of those projects. PostgreSQL is one of 
the 32 projects currently scanned at:

http://scan.coverity.com
  My belief is that we (Coverity) must reach out to the developers of 
these packages (you) in order to make progress in actually fixing the 
defects that we happen to find, so this is my first step in that 
mission. Of course, I think Coverity technology is great, but I want to 
hear what you think and that's why I worked with folks at Coverity to 
put this infrastructure in place. The process is simple -- it checks out 
your code each night from your repository and scans it so you can always 
see the latest results.
  Right now, we're guarding access to the actual defects that we report 
for a couple of reasons: (1) We think that you, as developers of 
PostgreSQL, should have the chance to look at the defects we find to 
patch them before random other folks get to see what we found and (2) From a support perspective, we want to make sure
thatwe have the 
 
appropriate time to engage with those who want to use the results to fix 
the code. Because of this second point, I'd ask that if you are 
interested in really digging into the results a bit further for your 
project, please have a couple of core maintainers (or group nominated 
individuals) reach out to me to request access. As this is a new process 
for us and still involves a small number of packages, I want to make 
sure that I personally can be involved with the activity that is 
generated from this effort.
  So I'm basically asking for people who want to play around with some 
cool new technology to help make source code better. If this interests 
you, please feel free to reach out to me directly. And of course, if 
there are other packages you care about that aren't currently on the 
list, I want to know about those too.
  If this is the wrong list, my sincerest apologies and please let me 
know where would be a more appropriate forum for this type of message.

Many thanks for reading this far...

-ben
 Ben Chelf Chief Technology Officer Coverity, Inc.


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Andreas Pflug
Date:
Ben Chelf wrote:
> Hello PostgreSQL Developers,
> 
>   I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. PostgreSQL is one of 
> the 32 projects currently scanned at:
> 
> http://scan.coverity.com

Hm, interestingly and in contrast to some announcements, MySQL is not 
included in this list. Did it blast the defects column ? :-)

Regards,
Andreas


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Bruce Momjian
Date:
Andreas Pflug wrote:
> Ben Chelf wrote:
> > Hello PostgreSQL Developers,
> > 
> >   I'm the CTO of Coverity, Inc., a company that does static source code 
> > analysis to look for defects in code. You may have heard of us or of our 
> > technology from its days at Stanford (the "Stanford Checker"). The 
> > reason I'm writing is because we have set up a framework internally to 
> > continually scan open source projects and provide the results of our 
> > analysis back to the developers of those projects. PostgreSQL is one of 
> > the 32 projects currently scanned at:
> > 
> > http://scan.coverity.com
> 
> Hm, interestingly and in contrast to some announcements, MySQL is not 
> included in this list. Did it blast the defects column ? :-)

I thought we ran the Converity analysis a year ago and cleaned up the
warnings, so I am surprised at our high number, but I assume they are
mostly noise.

--  Bruce Momjian   http://candle.pha.pa.us SRA OSS, Inc.   http://www.sraoss.com
 + If your life is a hard drive, Christ can be your backup. +


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Alvaro Herrera
Date:
Andreas Pflug wrote:
> Ben Chelf wrote:
> >Hello PostgreSQL Developers,
> >
> >  I'm the CTO of Coverity, Inc., a company that does static source code 
> >analysis to look for defects in code. You may have heard of us or of our 
> >technology from its days at Stanford (the "Stanford Checker"). The 
> >reason I'm writing is because we have set up a framework internally to 
> >continually scan open source projects and provide the results of our 
> >analysis back to the developers of those projects. PostgreSQL is one of 
> >the 32 projects currently scanned at:
> >
> >http://scan.coverity.com
> 
> Hm, interestingly and in contrast to some announcements, MySQL is not 
> included in this list. Did it blast the defects column ? :-)

AFAIR they got a private scan done and they fixed the reported defects.
After that they issued a press release telling how little defects they
got, or something ...

OTOH neither JBoss, BerkeleyDB, Qt are listed.  Is there a pattern here?

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Lukas Smith
Date:
Alvaro Herrera wrote:

> AFAIR they got a private scan done and they fixed the reported defects.
> After that they issued a press release telling how little defects they
> got, or something ...
> 
> OTOH neither JBoss, BerkeleyDB, Qt are listed.  Is there a pattern here?

I guess the pattern is obvious indeed:
Coverity probably wants a shot at selling their services to these 
companies and rightly so imho.

regards,
Lukas



Re: Coverity Open Source Defect Scan of PostgreSQL

From
David Boreham
Date:
>
>OTOH neither JBoss, BerkeleyDB, Qt are listed.  Is there a pattern here?
>
>  
>
http://www.coverity.com/news/news_02_15_05_story_6.html




Re: Coverity Open Source Defect Scan of PostgreSQL

From
"Marc G. Fournier"
Date:
On Mon, 6 Mar 2006, Bruce Momjian wrote:

> Andreas Pflug wrote:
>> Ben Chelf wrote:
>>> Hello PostgreSQL Developers,
>>>
>>>   I'm the CTO of Coverity, Inc., a company that does static source code
>>> analysis to look for defects in code. You may have heard of us or of our
>>> technology from its days at Stanford (the "Stanford Checker"). The
>>> reason I'm writing is because we have set up a framework internally to
>>> continually scan open source projects and provide the results of our
>>> analysis back to the developers of those projects. PostgreSQL is one of
>>> the 32 projects currently scanned at:
>>>
>>> http://scan.coverity.com
>>
>> Hm, interestingly and in contrast to some announcements, MySQL is not
>> included in this list. Did it blast the defects column ? :-)
>
> I thought we ran the Converity analysis a year ago and cleaned up the
> warnings, so I am surprised at our high number, but I assume they are
> mostly noise.

Got an account and will take a look at the details this evening ... :)

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Neil Conway
Date:
On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
> AFAIR they got a private scan done and they fixed the reported defects.

Indeed: EnterpriseDB paid for a license for the Coverity static analysis
tool, and then ran that tool on the open-source Postgres tree. One of
their engineers then worked with me to get a bunch of patches committed
to fix the issues the tool identified -- e.g.

http://archives.postgresql.org/pgsql-committers/2005-06/msg00428.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00314.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00315.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00298.php

The tool found a few significant bugs, but most of the fixes were
somewhat cosmetic. (Perhaps one reason for this is that the Stanford
checker was run on an earlier version of PostgreSQL by some grad
students at Stanford, who submitted patches / bug reports for the more
serious issues they found.)

I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
fixed all the issues the EDB guys passed on to me, with the exception of
some false positives and a handful of minor issues in ECPG that I
couldn't be bothered fixing (frankly I would rather not touch the ECPG
code). I've requested access to the Coverity results -- I'll be curious
to see if we can get any more useful fixes from the tool.

-Neil




Re: Coverity Open Source Defect Scan of PostgreSQL

From
Andrew Dunstan
Date:
Neil Conway wrote:

>On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
>  
>
>>AFAIR they got a private scan done and they fixed the reported defects.
>>    
>>
>
>Indeed: EnterpriseDB paid for a license for the Coverity static analysis
>tool, and then ran that tool on the open-source Postgres tree. One of
>their engineers then worked with me to get a bunch of patches committed
>to fix the issues the tool identified -- e.g.
>
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00428.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00314.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00315.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00298.php
>
>The tool found a few significant bugs, but most of the fixes were
>somewhat cosmetic. (Perhaps one reason for this is that the Stanford
>checker was run on an earlier version of PostgreSQL by some grad
>students at Stanford, who submitted patches / bug reports for the more
>serious issues they found.)
>
>I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
>fixed all the issues the EDB guys passed on to me, with the exception of
>some false positives and a handful of minor issues in ECPG that I
>couldn't be bothered fixing (frankly I would rather not touch the ECPG
>code). I've requested access to the Coverity results -- I'll be curious
>to see if we can get any more useful fixes from the tool.
>
>  
>

For a short while EDB were pushing their Coverity results up to the 
buildfarm server, too. But it didn't last  long.

cheers

andrew


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Josh Berkus
Date:
Ben,

>    I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. PostgreSQL is one of
> the 32 projects currently scanned at:

Nice to hear from you!   Coverity has previously worked with Sean 
Chittenden, EnterpriseDB and Neil Conway.   So we're glad to be continuing 
our relationship with you.

-- 
--Josh

Josh Berkus
Aglio Database Solutions
San Francisco


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Martijn van Oosterhout
Date:
On Mon, Mar 06, 2006 at 12:50:15PM -0400, Marc G. Fournier wrote:
> >I thought we ran the Converity analysis a year ago and cleaned up the
> >warnings, so I am surprised at our high number, but I assume they are
> >mostly noise.
>
> Got an account and will take a look at the details this evening ... :)

Are the people who look at the results allowed to tell the rest of us
what kind of bugs are involved (ie trivial or otherwise)? I mean,
presumably they can't cut and paste the results to the mailing list but
are we going to see anything other than a list of bug-fixes for
(apparently) unreported bugs?

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Re: Coverity Open Source Defect Scan of PostgreSQL

From
Alvaro Herrera
Date:
Neil Conway wrote:

> I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
> fixed all the issues the EDB guys passed on to me, with the exception of
> some false positives and a handful of minor issues in ECPG that I
> couldn't be bothered fixing (frankly I would rather not touch the ECPG
> code). I've requested access to the Coverity results -- I'll be curious
> to see if we can get any more useful fixes from the tool.

It's not unlikely that the checker got improved.

FWIW I don't see any report related to the MemoryContext stuff, which I
was expecting we would be flooded with.  I haven't seen the entire list
yet, but they do make the mistake of not noticing that ereport(ERROR)
does not continue execution.  For example:

-------->-------->-------->-------->-------->-------->-------->-------->
pgsql/src/backend/optimizer/plan/createplan.c

638          foreach(l, uniq_exprs)
639          {
640              Node       *uniqexpr = lfirst(l);
641              TargetEntry *tle;
642      
643              tle = tlist_member(uniqexpr, newtlist);

Event var_compare_op: Added "tle" due to comparison "tle == 0"
Also see events: [var_deref_op]
At conditional (1): "tle == 0" taking true path

644              if (!tle)                /* shouldn't happen */
645                  elog(ERROR, "failed to find unique expression in subplan tlist");

Event var_deref_op: Variable "tle" tracked as NULL was dereferenced.
Also see events: [var_compare_op]

646              groupColIdx[groupColPos++] = tle->resno;
647          }
-------->-------->-------->-------->-------->-------->-------->-------->

We all know that this is not a bug.  There are lots of these, as you can
imagine.  

There are lots of other "not a bugs".  For example in initdb, there is a
lot of noise about how we don't free the resources.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Greg Stark
Date:
Alvaro Herrera <alvherre@commandprompt.com> writes:

> but they do make the mistake of not noticing that ereport(ERROR)
> does not continue execution. 

There is a way in gcc to indicate that a function never returns. But in
Postgres it's a bit weird since elog()/ereport() sometimes return and
sometimes don't. Perhaps it would be better to make the forms that don't
return separate functions. Then hopefully they can be marked to not trigger
these kinds of warnings.

> We all know that this is not a bug.  There are lots of these, as you can
> imagine.  
> 
> There are lots of other "not a bugs".  For example in initdb, there is a
> lot of noise about how we don't free the resources.

Presumably the reason they don't immediately release the reports is for fear
of security holes revealed. Once somebody has checked the errors and checked
for any exploitable holes would it be possible to just open access to anyone
so mere mortals can clean up the mundane bugs?

-- 
greg



Re: Coverity Open Source Defect Scan of PostgreSQL

From
Martijn van Oosterhout
Date:
On Tue, Mar 07, 2006 at 05:10:44PM -0500, Greg Stark wrote:
>
> Alvaro Herrera <alvherre@commandprompt.com> writes:
>
> > but they do make the mistake of not noticing that ereport(ERROR)
> > does not continue execution.
>
> There is a way in gcc to indicate that a function never returns. But in
> Postgres it's a bit weird since elog()/ereport() sometimes return and
> sometimes don't. Perhaps it would be better to make the forms that don't
> return separate functions. Then hopefully they can be marked to not trigger
> these kinds of warnings.

I think the problem is that both of those are macros that expand into
calls to errstart and errfinish. The error level is passed to errstart
but the actual exception is thrown in errfinish using the value stored
on the exception stack. For a static analysis tool to pick that up
would be quite a trick. For gcc I wouldn't bet on it.

One possibility would be to add code to the elog/ereport macros that is
only used when using one of these tools. For example:

#ifdef STATIC_ANALYSIS
#define ereport(elevel, rest)  \       (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \        (errfinish
rest): (void) 0), (elevel >= ERROR ? exit(0) : 0) 
#else
/* Normal def */
#endif

The actual code never gets executed but it would give gcc and any other
tools the info they need to handle this situation.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Re: Coverity Open Source Defect Scan of PostgreSQL

From
Tom Lane
Date:
Martijn van Oosterhout <kleptog@svana.org> writes:
> #ifdef STATIC_ANALYSIS
> #define ereport(elevel, rest)  \
>         (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
>          (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
> #else
> /* Normal def */
> #endif

Hmm, neat idea ... though I wonder whether either gcc or Coverity's tool
is smart enough to draw the right conclusions from a conditional exit()
call ...
        regards, tom lane


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Martijn van Oosterhout
Date:
On Tue, Mar 07, 2006 at 05:39:18PM -0500, Tom Lane wrote:
> Martijn van Oosterhout <kleptog@svana.org> writes:
> > #ifdef STATIC_ANALYSIS
> > #define ereport(elevel, rest)  \
> >         (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
> >          (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
> > #else
> > /* Normal def */
> > #endif
>
> Hmm, neat idea ... though I wonder whether either gcc or Coverity's tool
> is smart enough to draw the right conclusions from a conditional exit()
> call ...

Well, remember this is a macro so the conditional is known at compile
time and the optimiser should see that the exit is unconditional. A
quick test with the attached program shows that gcc does correctly
determine that the last few lines are unreachable and are optimised out
entirely (with -Wunreachable-code which is not the default).

I tried to create an empty static inline function with
attribute((noreturn)) to optimise out the call to exit(), but gcc
merely points out the function does actually return and proceeds to
assume that the rest of main() is also reachable.

Another possibility would be to create two versions of errfinish, one
marked (noreturn), and use a conditional on elevel to decide which to
use. However, then you get issues with multiple evaluation of macro
arguments...

gcc 3.3.5
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment

Re: Coverity Open Source Defect Scan of PostgreSQL

From
Ben Chelf
Date:

Martijn van Oosterhout wrote:
> On Tue, Mar 07, 2006 at 05:39:18PM -0500, Tom Lane wrote:
> 
>>Martijn van Oosterhout <kleptog@svana.org> writes:
>>
>>>#ifdef STATIC_ANALYSIS
>>>#define ereport(elevel, rest)  \
>>>        (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
>>>         (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
>>>#else
>>>/* Normal def */
>>>#endif
>>
>>Hmm, neat idea ... though I wonder whether either gcc or Coverity's tool
>>is smart enough to draw the right conclusions from a conditional exit()
>>call ...
> 

As for Coverity, if the elevel that's passed to the ereport is really a 
constant, the above #ifdef should absolutely do the trick for us so we 
know to stop analyzing on that path...Let me know if it doesn't actually 
do that ;)

-ben



Re: Coverity Open Source Defect Scan of PostgreSQL

From
Josh Berkus
Date:
Folks,
> As for Coverity, if the elevel that's passed to the ereport is really a
> constant, the above #ifdef should absolutely do the trick for us so we
> know to stop analyzing on that path...Let me know if it doesn't actually
> do that ;)

Um, I think the answer is to train Coverity, not change our code to avoid 
the false-positives.  I know that Coverity is sophisticated enough to, for 
example, be programed to understand that elog(ERROR) does not continue.  

Actually, I thougth that Neil/eDB did this with their copy.  Is there any 
way to get a copy of that "training configuration"?

-- 
--Josh

Josh Berkus
Aglio Database Solutions
San Francisco


Re: Coverity Open Source Defect Scan of PostgreSQL

From
"Jonah H. Harris"
Date:
On 3/8/06, Josh Berkus <josh@agliodbs.com> wrote:
Actually, I thougth that Neil/eDB did this with their copy.  Is there any
way to get a copy of that "training configuration"?

I think we have a backup of it somewhere.  I'll look into it.


--
Jonah H. Harris, Database Internals Architect
EnterpriseDB Corporation
732.331.1324

Re: Coverity Open Source Defect Scan of PostgreSQL

From
Greg Stark
Date:
Ben Chelf <ben@coverity.com> writes:

> >>>#ifdef STATIC_ANALYSIS
> >>>#define ereport(elevel, rest)  \
> >>>        (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
> >>>         (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
> >>>#else
> >>>/* Normal def */
> >>>#endif
> 
> As for Coverity, if the elevel that's passed to the ereport is really a
> constant, the above #ifdef should absolutely do the trick for us so we know to
> stop analyzing on that path...Let me know if it doesn't actually do that ;)

If you're willing to require elevel to always be a constant then why not just
tack on the (elevel >= ERROR ? exit(0) : 0) onto the end of the regular
definition of ereport instead of having an ifdef?

Incidentally, if it's not guaranteed to be a constant then the definition
above is wrong because it's missing parentheses around elevel at both
occurrences.

-- 
greg



Re: Coverity Open Source Defect Scan of PostgreSQL

From
Martijn van Oosterhout
Date:
On Wed, Mar 08, 2006 at 06:42:45PM -0500, Greg Stark wrote:
> Ben Chelf <ben@coverity.com> writes:
>
> > >>>#ifdef STATIC_ANALYSIS
> > >>>#define ereport(elevel, rest)  \
> > >>>        (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
> > >>>         (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
> > >>>#else
> > >>>/* Normal def */
> > >>>#endif
> >
> > As for Coverity, if the elevel that's passed to the ereport is really a
> > constant, the above #ifdef should absolutely do the trick for us so we know to
> > stop analyzing on that path...Let me know if it doesn't actually do that ;)
>
> If you're willing to require elevel to always be a constant then why not just
> tack on the (elevel >= ERROR ? exit(0) : 0) onto the end of the regular
> definition of ereport instead of having an ifdef?

Well, the only cost would be a useless call to exit() for each
elog/ereport with an elevel >= ERROR. It bloats the binary a bit. Not
sure whether people care enough about that.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Re: Coverity Open Source Defect Scan of PostgreSQL

From
Bruce Momjian
Date:
Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> On Wed, Mar 08, 2006 at 06:42:45PM -0500, Greg Stark wrote:
> > Ben Chelf <ben@coverity.com> writes:
> > 
> > > >>>#ifdef STATIC_ANALYSIS
> > > >>>#define ereport(elevel, rest)  \
> > > >>>        (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
> > > >>>         (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
> > > >>>#else
> > > >>>/* Normal def */
> > > >>>#endif
> > > 
> > > As for Coverity, if the elevel that's passed to the ereport is really a
> > > constant, the above #ifdef should absolutely do the trick for us so we know to
> > > stop analyzing on that path...Let me know if it doesn't actually do that ;)
> > 
> > If you're willing to require elevel to always be a constant then why not just
> > tack on the (elevel >= ERROR ? exit(0) : 0) onto the end of the regular
> > definition of ereport instead of having an ifdef?
> 
> Well, the only cost would be a useless call to exit() for each
> elog/ereport with an elevel >= ERROR. It bloats the binary a bit. Not
> sure whether people care enough about that.

We care.  :-)

--  Bruce Momjian   http://candle.pha.pa.us SRA OSS, Inc.   http://www.sraoss.com
 + If your life is a hard drive, Christ can be your backup. +


Re: Coverity Open Source Defect Scan of PostgreSQL

From
"Marc G. Fournier"
Date:
On Thu, 9 Mar 2006, Bruce Momjian wrote:

> Martijn van Oosterhout wrote:
> -- Start of PGP signed section.
>> On Wed, Mar 08, 2006 at 06:42:45PM -0500, Greg Stark wrote:
>>> Ben Chelf <ben@coverity.com> writes:
>>>
>>>>>>> #ifdef STATIC_ANALYSIS
>>>>>>> #define ereport(elevel, rest)  \
>>>>>>>        (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO) ? \
>>>>>>>         (errfinish rest) : (void) 0), (elevel >= ERROR ? exit(0) : 0)
>>>>>>> #else
>>>>>>> /* Normal def */
>>>>>>> #endif
>>>>
>>>> As for Coverity, if the elevel that's passed to the ereport is really a
>>>> constant, the above #ifdef should absolutely do the trick for us so we know to
>>>> stop analyzing on that path...Let me know if it doesn't actually do that ;)
>>>
>>> If you're willing to require elevel to always be a constant then why not just
>>> tack on the (elevel >= ERROR ? exit(0) : 0) onto the end of the regular
>>> definition of ereport instead of having an ifdef?
>>
>> Well, the only cost would be a useless call to exit() for each
>> elog/ereport with an elevel >= ERROR. It bloats the binary a bit. Not
>> sure whether people care enough about that.
>
> We care.  :-)

Why?  I don't think we are able to run 'embedded' now as it is, so its not 
like we're dealign with system with small disk spaces :)  how much bigger 
would adding that exit() make the binary?  Martijn, could you do a build 
with/without it and compare sizes?

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Tom Lane
Date:
"Marc G. Fournier" <scrappy@postgresql.org> writes:
> Why?  I don't think we are able to run 'embedded' now as it is, so its not 
> like we're dealign with system with small disk spaces :)  how much bigger 
> would adding that exit() make the binary?

It's not only the exit(), as the elevel parameter isn't always a
constant.  The proposed patch would at a minimum expose us to
double-evaluation risks.  I kinda doubt there are any cases where an
elevel parameter expression has side-effects, so that objection may be
mostly hypothetical, but nonetheless we are talking about more than just
wasting a few bytes.  It's not impossible that the patch would introduce
outright bugs.  Consider something like
/* ENOENT is expected, anything else is not */elog(errno == ENOENT ? DEBUG : ERROR, ...)

By the time control comes back from elog, errno would likely be
different, and so this would result in an unexpected exit() call
if the patch is in place.  I'd be the first to call the above poor
coding, but it wouldn't be a bug ... unless the errno is rechecked.

It's been asserted that Coverity can be taught to understand about
elog/ereport without this sort of hack, so I'd rather take that tack.
        regards, tom lane


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Bruce Momjian
Date:
Tom Lane wrote:
> "Marc G. Fournier" <scrappy@postgresql.org> writes:
> > Why?  I don't think we are able to run 'embedded' now as it is, so its not 
> > like we're dealign with system with small disk spaces :)  how much bigger 
> > would adding that exit() make the binary?
> 
> It's not only the exit(), as the elevel parameter isn't always a
> constant.  The proposed patch would at a minimum expose us to
> double-evaluation risks.  I kinda doubt there are any cases where an
> elevel parameter expression has side-effects, so that objection may be
> mostly hypothetical, but nonetheless we are talking about more than just
> wasting a few bytes.  It's not impossible that the patch would introduce
> outright bugs.  Consider something like
> 
>     /* ENOENT is expected, anything else is not */
>     elog(errno == ENOENT ? DEBUG : ERROR, ...)
> 
> By the time control comes back from elog, errno would likely be
> different, and so this would result in an unexpected exit() call
> if the patch is in place.  I'd be the first to call the above poor
> coding, but it wouldn't be a bug ... unless the errno is rechecked.
> 
> It's been asserted that Coverity can be taught to understand about
> elog/ereport without this sort of hack, so I'd rather take that tack.

Agreed.  The idea of modifying our binary in any way to help a sanity
tool not complain is totally backwards.

--  Bruce Momjian   http://candle.pha.pa.us SRA OSS, Inc.   http://www.sraoss.com
 + If your life is a hard drive, Christ can be your backup. +


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Stephen Frost
Date:
* Bruce Momjian (pgman@candle.pha.pa.us) wrote:
> > It's been asserted that Coverity can be taught to understand about
> > elog/ereport without this sort of hack, so I'd rather take that tack.
>
> Agreed.  The idea of modifying our binary in any way to help a sanity
> tool not complain is totally backwards.

This is very amusing.  I have to agree w/ Tom in general, the code in
this case does the right thing and the Coverity tool should be able to
be told about that.  However, for areas where the tool is actually right
and there's some bug in Postgres, well, I'd hope we'd modify Postgres to
fix the bug... ;)
Enjoy,
    Stephen

Re: Coverity Open Source Defect Scan of PostgreSQL

From
"Marc G. Fournier"
Date:
On Thu, 9 Mar 2006, Tom Lane wrote:

> "Marc G. Fournier" <scrappy@postgresql.org> writes:
>> Why?  I don't think we are able to run 'embedded' now as it is, so its not
>> like we're dealign with system with small disk spaces :)  how much bigger
>> would adding that exit() make the binary?
>
> It's not only the exit(), as the elevel parameter isn't always a
> constant.  The proposed patch would at a minimum expose us to
> double-evaluation risks.  I kinda doubt there are any cases where an
> elevel parameter expression has side-effects, so that objection may be
> mostly hypothetical, but nonetheless we are talking about more than just
> wasting a few bytes.  It's not impossible that the patch would introduce
> outright bugs.  Consider something like
>
>     /* ENOENT is expected, anything else is not */
>     elog(errno == ENOENT ? DEBUG : ERROR, ...)
>
> By the time control comes back from elog, errno would likely be
> different, and so this would result in an unexpected exit() call
> if the patch is in place.  I'd be the first to call the above poor
> coding, but it wouldn't be a bug ... unless the errno is rechecked.
>
> It's been asserted that Coverity can be taught to understand about
> elog/ereport without this sort of hack, so I'd rather take that tack.

I realize that this might sound 'odd' ... but, would it maybe make sense 
to document the code around stuff like this as to why we do it the way we 
do?  Basically, we're debating how we could change the code to clean 
things up for Coverity's analysis, and by the fact that we're getting both 
sides of the discussion, there are ppl that think that the code 
could/should be changed ... the arguments against make sense, but instead 
of coming back to revisit this some time in the future, documenting it in 
the code as to why we are doing it this way in the first place might save 
time?

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Ben Chelf
Date:
On 3/8/06, Josh Berkus <josh ( at ) agliodbs ( dot ) com> wrote:
>    Actually, I thougth that Neil/eDB did this with their copy.  Is> there any way to get a copy of that "training
configuration"?


Just to jump in on this thread, we can absolutely configure elog -- if 
you have the config already, great. If not, if you can just send me the 
prototype/macro expansion for 'elog' and the constant values that are 
passed in the case where it exits, I'll add that config. Thanks!

-ben


Re: Coverity Open Source Defect Scan of PostgreSQL

From
Martijn van Oosterhout
Date:
On Wed, Mar 08, 2006 at 10:34:38PM -0800, Ben Chelf wrote:
> On 3/8/06, Josh Berkus <josh ( at ) agliodbs ( dot ) com> wrote:
>
> >    Actually, I thougth that Neil/eDB did this with their copy.  Is
> > there any way to get a copy of that "training configuration"?
>
>
> Just to jump in on this thread, we can absolutely configure elog -- if
> you have the config already, great. If not, if you can just send me the
> prototype/macro expansion for 'elog' and the constant values that are
> passed in the case where it exits, I'll add that config. Thanks!

I don't know it anyone has responded to this but it works as follows.
the actual source can be seen here:

http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/utils/elog.h?rev=1.82

elog expands to elog_finish, which doesn't return if the first argument
is >= ERROR (which is the number 20).

ereport(X) is more complex. You want the first argument of that but it
expands to something similar to:

errstart(X), errfinish()

if X >= ERROR in the call to errstart, errfinish doesn't return.

Hope this helps,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.