On Fri, May 16, 2008 at 04:02:48PM -0400, Ted Unangst wrote:
> On 5/16/08, Ross Cameron  wrote:

quoted text
> > Mmmmmmm this isn't the first time I've heard of bogus reports from Valgrind.

> >  How does one politely inform the Debian project to not trust it explicitly

> >  and to human audit anything it flags?

>

> I think people are placing too much blame on valgrind.  valgrind

> doesn't tell you "Delete this line of code."  It says "You are using

> uninitialized memory here."  The correct fix is to initialize the

> memory, not delete the line of code.  It's not about trusting or not

> trusting the tool; it's about responding correctly.

>

> I've seen innocuous valgrind reports, but never wrong ones.  I also

> saw a valgrind report ignored as innocuous because it didn't seem to

> cause trouble, only to be the root cause of a problem that cost a

> minimum of ,000 to resolve later.

Yeah, using tools such as valgrind can help a lot, but the danger side

is that it will cause actions to be taken by people who do not

understand the code, just to silence valgrind. Since valgrind flags

the location of the use of uninialized mem, and--of course--not the

root cause, developers can easily be mislead and apply the wrong fix.

I think we have a clear demonstration of the danger of using a tool

without proper understanding of the code here. In addition, the vague

posts from both sides on openssl-dev mailing lists did not help too. 
	-Otto