From nobody Wed Sep 11 05:54:55 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X3VCR6qXzz5WGpq for ; Wed, 11 Sep 2024 05:54:59 +0000 (UTC) (envelope-from paulf2718@gmail.com) Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X3VCQ14Zpz4r5w for ; Wed, 11 Sep 2024 05:54:58 +0000 (UTC) (envelope-from paulf2718@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=Ea+0aIw4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of paulf2718@gmail.com designates 2a00:1450:4864:20::336 as permitted sender) smtp.mailfrom=paulf2718@gmail.com Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-42cbaf9bfdbso20450745e9.0 for ; Tue, 10 Sep 2024 22:54:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726034096; x=1726638896; darn=freebsd.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=OTQnDDJUiN/A4rMpqtd3+GlNwyIzPhyvz3ysPPUu8ek=; b=Ea+0aIw4oWH5iZlUAj8oo3Vbtc11s5YM2fFvyrmeKHf+KUyUok1dRmoYkO96dQiFJz aJsoD5Ni/i81pqZFyQrEWzGy5Zbzm88vOu9QxDbbJipXisWqEKouJ4bEJXBl6sid2Ts8 fSjmXTEhBkaSNiw7LYrAdK0/gg0qa5za/tGTDcmmfamz/2YqzioIMkXDNGke3qHuexc0 /NXGGtC71hlVwLrospLENZa5hIN5MBLytM+NPi9ROdtUykoxcnIcecYEJdpogPIirZwG dgzfGQ1Me01Eja70vPPi7tMvWVb83mlIePcq3L3WpEMptARBfQKGKp02QANV9dcCoMU5 SZ2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726034096; x=1726638896; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OTQnDDJUiN/A4rMpqtd3+GlNwyIzPhyvz3ysPPUu8ek=; b=w+zVgJjCi0byi0jkHH4iq8WKyoi2Fcc76ZEFnzV5qLs5Tw2ndkOgN89RyLCalInWeJ PdJruLetEVZCCLjIuZ2zu/UFCQJELxDX6UWcEANdU3eALB6TBUmBTCDhos5+RufANPjb Nb/pa6Ky/e5tjdvz7dtgpDnLMbvvqJeLF7J85QhKP6nFr1eLh++OLkOhmjm+v1hW3ya6 KMw/217NeU2KtA4ACtKfdVcPI4LMP4ImrLHeM1ora8Ho6so3rYwMokhGsQsNGiTbS4V3 A7spMtqWk2tWC+oOuJQ1OW5wTN6Oz3GYPJCgUsfg/PHYyrD+W2r+8M8pSjMQ5MzM02iY mN1w== X-Gm-Message-State: AOJu0YzN6Oq8o01DOTaUk/Y69W1Vk4viUjlv5Go5YNndmqEiYZTGwCD8 7XLEx6R8WdLVYq2awwyLQ4KQhOG5g5tSqda0Sf05XgCzM4kbDsm0FgzM/Q== X-Google-Smtp-Source: AGHT+IH3vr2EsvUrUQsQ/YJ67kqQo+jkDrNNO+tn7kbKKKCe1FFqr8muUAuhtwSZ9XrAm8pY50s4ig== X-Received: by 2002:adf:e242:0:b0:371:8c19:f5e6 with SMTP id ffacd0b85a97d-378896a3e97mr10904192f8f.40.1726034096270; Tue, 10 Sep 2024 22:54:56 -0700 (PDT) Received: from ?IPV6:2a01:cb15:801f:7500:1aa9:5ff:fe16:2efb? ([2a01:cb15:801f:7500:1aa9:5ff:fe16:2efb]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-378956d3796sm10540757f8f.80.2024.09.10.22.54.55 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Sep 2024 22:54:55 -0700 (PDT) Message-ID: Date: Wed, 11 Sep 2024 05:54:55 +0000 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: The Case for Rust (in any system) To: freebsd-hackers@freebsd.org References: <6FEF9D06-01DC-48DC-93D2-178F9726C1D3@freebsd.org> Content-Language: en-US From: Paul Floyd In-Reply-To: <6FEF9D06-01DC-48DC-93D2-178F9726C1D3@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.98 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.993]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::336:from] X-Rspamd-Queue-Id: 4X3VCQ14Zpz4r5w On 06-09-24 07:02, David Chisnall wrote: > On 5 Sep 2024, at 22:13, Alan Somers wrote: >> >> I used to check it, years ago. But I gave up. The UI is too hard to >> use and false alarms are both too frequent and too hard to suppress. >> Plus, it's a real drag that I can't run the tool myself. Instead, I >> need to wait for the next scheduled run. > > In general, it’s very hard to add static analysis to existing projects. The property that you want is that there are no *new* static analyser errors in a new commit, but that’s requires tracking all of the existing ones. In CHERIoT RTOS, we run the clang analyser in CI as one of the checks that must pass before a PR can be merged. This is possible because we started doing it very early on. It may be possible for some individual parts of FreeBSD, but when we started with Coverity I looked at the reports and the first ten I looked at were all false positives. There are probably some serious issues in there but the effort to find them is high. For a new project, that cost is a small incremental cost in each commit and code review (if the analyser finds something, reviewer has to agree that it’s a false positive). Beware of the confimation bias false positives as well, where the tool is correct but the developer wants to believe that their code is correct. The main problem with static analysis is complexity. As I understand it they only perform analysis at function scope. Since the output is explained step by step you can usually see why it went wrong. One common thing that I see is that in one place it reports a size to be within a certain range and then later reports an out of bounds access with a different size. Because of its vision of local scope it doesn't see that the size can't change between the two (assuming monothrededness). A+ Paul