Closed adeaarm closed 1 year ago
I'm 99% sure there is no real problem with the code. QCBOR has been analyzed be real thorough static analyzers many times and they don't flag this error. I also looked briefly at the code and don't see a problem.
So the issue is how to stop the false warnings for not-very-good static analysis like that provided by -Wmaybe-uninitialized. I do want QCBOR to compile well in all environments.
I'm hesitant about adding an unnecessary initialization because it will probably increase code size somewhere. I want to see if there's another way to solve this or see that the code size increase is very small.
Will take me a little while to figure this out, but wanted to provide a response right away. Thanks for reporting.
I plan on finding a fix here, but any comment on why you are using -Wmaybe-uninitialized (rather than a better static analyzer)?
Hi @laurencelundblade , thanks for the feedback. We simply build TF-M using -Wall
by default with GCC, and I believe that -Wmaybe-uninitialized
is enabled by default in that case (at least starting from gcc 10). Note that this affects only optimized builds. Regarding the specifics of this warning, we did not re-run any other static analyzer so I can't really comment on how genuine this issue is. It looks connected to the early return available in the function that populates the Item object. Might get back to this at some point and update this thread with additional findings, in the meantime you have your evaluation from your side as well.
See #179
While I understand the point about the performance hit by initialising, I don't see why that would be a problem regarding security, especially compared to the current strategy which is to leave them uninitialised, i.e. initialise with casual data found on the stack. In other words, if the security of the QCBORItem might be adversely affected by its initialisation values, then this would be even a stronger point to provide initialization functions for those items.
Hi,
Did you read the whole comment in the source file?
A number of big tech companies (US and Chinese) have run formal static analysis on this code that is much more thorough than -Wmaybe-uninitialized because they are using it for critical things.
I misinterpreted your comment about security. I agree with the points above.
Just to add a bit more of context: The fixed value init proposed above was meant just to silence the warning, not to fix an issue assuming that it was genuine.
Fixed by #179
Hello,
while using
arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release)
and building with options-Wmaybe-uninitialized
these warnings appear:One way of fixing them would be by always initialising
QCBORItem Item = {0}
; on those declarations.