-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CFE_ES_CheckCounterIdSlotUsed doesn't handle error case (NULL dereference) - static analysis warning #1194
Comments
Same for CFE_ES_CheckAppIdSlotUsed, CFE_ES_CheckLibIdSlotUsed, CFE_ES_CheckMemPoolSlotUsed, CFE_SB_CheckPipeDescSlotUsed, CFE_ES_CheckCDSHandleSlotUsed |
It's not really a bug though, it is guaranteed elsewhere that the code never invokes that with an invalid ID, so its impossible to get null in the use case for which that function was intended to be used. |
To clarify this particular function is only supposed to be used with It is also supposed to be an internal helper function (i.e. not part of public API) and as such not possible that external entities other than ES itself can ever invoke this function. (which IIRC internal functions do not require NULL checks on inputs) |
I see it as either it's guaranteed to return success, so you don't need to check the return (and set NULL as the else case) or it can be NULL and you should handle it. I don't follow the logic for having both.. especially when setting it to NULL would cause the following dereference to segfault. Why set up a case like that when it's all internal? |
It's not all internal. This is a case of an internal function (With controlled/known inputs) calling a common API so it doesn't need to repeat the logic. The public API needs to check - per normal requirements of all APIs that have unknown inputs - but these failure cases will never be reached in the context of the helper function where the input is already known to be within range. In this case the code is primarily run at start up so the cost of the redundant test is negligible - this isn't code the runs frequently. So if the objective here is to appease the static analysis tool that doesn't see the full context - then OK.... I'm definitely more concerned about redundant tests in code that executes during steady state/runtime than code that is primarily startup like this one. |
To clarify that a bit -- the There's also a fair number of cases where these functions are also called from an internal context where the ID is known to be good or otherwise range checked already. It just isn't worth implementing a separate "internal" variant that skips the checks - that would cause other problems (duplicate logic, etc). So the existing/common API is used, but it just doesn't (re-?)check for failure when the input is known to be good already. |
I find it interesting where we split on future-proofing. I get opposition when removing a default case or double checking a range where the case could never be exercised even with stubs when its done within the same unit, yet when there's 3 different units involved (the caller, |
That's what I was getting at earlier - the other option is to split up the underlying To clarify - I have no strong objection to double-checking the value here. It is the lesser of two evils. Unnecessarily duplicating some logic and array lookup stuff to bypass checks would be a greater evil. I guess I'm not really worried about a bug getting introduced (via changing one of the functions involved) that causes an out-of-range condition and corresponding segfault because that's a major bug and it would be really obvious the first time your run it that you broke it. "Hiding" the bug by not segfaulting here is probably just going to defer the segfault till a little later, where it's a little more decoupled from the real problem and harder to debug. But either way if someone breaks this code it'll probably segfault at some point - so I don't see this extra check as "saving the system from a segfault" - if someone breaks this code it WILL break the system, an "if" here won't save it. |
CCB - Could do a similar NULL debug check like OSAL with optional abort. Or just put in the if to check and report. Suggest return true |
These are internal helper functions that determine if a table slot corresponding to a given ID is in use or free/available. This updates the function to handle NULL pointers even though in context they are used the lookup should always work.
Fix #1194, check for NULL in SlotUsed helpers
Is your feature request related to a problem? Please describe.
CFE_ES_CheckCounterIdSlotUsed -> CFE_ES_LocateCounterRecordByID can return NULL, and CFE_ES_CounterRecordIsUsed dereferences
cFE/fsw/cfe-core/src/es/cfe_es_resource.c
Lines 366 to 369 in 672b2dc
cFE/fsw/cfe-core/src/es/cfe_es_resource.c
Lines 266 to 281 in 672b2dc
cFE/fsw/cfe-core/src/es/cfe_es_resource.h
Lines 383 to 386 in 672b2dc
Describe the solution you'd like
Handle null
Describe alternatives you've considered
None
Additional context
Static analysis warning
Requester Info
Jacob Hageman - NASA/GSFC
The text was updated successfully, but these errors were encountered: