[libvirt] [PATCH] Make really sure we don't access non-existing vCPUs

Martin Kletzander mkletzan at redhat.com
Tue Jul 12 15:54:03 UTC 2016 

On Tue, Jul 12, 2016 at 03:01:57PM +0200, Peter Krempa wrote:
>On Tue, Jul 12, 2016 at 13:44:10 +0200, Martin Kletzander wrote:
>> MinGW complained that we might be dereferencing a NULL pointer.  While
>
>^^ Does anybody use that?
>

Well, if nobody uses that, feel free to send a patch removing all mingw
functionality then.

>> that's most probably not going to be true (now), the logic certainly
>> allows for that and we might actually do this a lot in the future with
>> sparse vcpu mapping.
>>
>> ../../src/conf/domain_conf.c: In function 'virDomainDefGetVcpuPinInfoHelper':
>> ../../src/conf/domain_conf.c:1545:17: error: potential null pointer
>> dereference [-Werror=null-dereference]
>>          if (vcpu->cpumask)
>>               ~~~~^~~~~~~~~
>>
>> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
>> ---
>> I could've pushed this as a build breaker, but I'm not really sure
>> everyone will like this to be handled this way.  I also did another
>> fix for this where we don't do int->size_t->int casting all the time,
>> but it's probably not worth the hassle.  Also I don't know whether
>> Peter has more stuff for this in his pockets now, so I figured I
>> rather submit this for review.
>
>It's impossible since virDomainDefGetVcpu returns a valid pointer if i
>is less than def->maxvcpus.
>

It is, but only thanks to how we work with the structure.  Since
def->vcpus is not virDomainVcpuDefPtr but rather _array_ of
virDomainVcpuDefPtr, then it *can* be NULL very easily.  I know we don't
deal with checking member[x] when x < nmembers, but OTOH it's not that
often array of pointers.  Also we do this very similar thing somewhere
else, and the compiler doesn't complain, so we can change to that or
just leave it as it is.

Just so you know, my reasoning for this was that sparse vcpus could
cause the array to be not mapped fully.  I see now that every one of
those pointers are mapped even when it's not needed, so I guess that's
invalid.  No idea why we have that as an array of pointers then.

>Since we are rather adding dead code than not supporting broken
>toolchain ... ACK.
>

The toolchain is actually not broken.  The assumption from the syntactic
POV is valid.  If we thought it is broken we'd probably use
-Wno-null-dereference or similar.

If two lines of dead code (that are clearly readable) are that annoying
to you (more than size_t->int->size_t hindering readability in that
function), I suggest raising that concern in a separate discussion on
the ML so that we have a consensus about dealing with MinGW, clang,
coverity, gcc > 4.9 and other scenarios that cause this.  Way less
people will read it when it's just part of a review for three-line
build-breaker (from my experience).

I, for one, don't really care about this that much, so I won't push
this.  Let's see how we resolve this once and for all (unless someone
pushes another patch under the build-breaker rule).

>>
>>  src/conf/domain_conf.c | 3 +++
>>  1 file changed, 3 insertions(+)
>
>Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160712/adf5e405/attachment-0001.sig>

More information about the libvir-list mailing list