Bug 2362863
| Summary: | glibc: Findings by static analyzers in Fedora 43 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Siteshwar Vashisht <svashisht> |
| Component: | glibc | Assignee: | Arjun Shankar <ashankar> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | araghuku, arjun, codonell, dj, fberat, fweimer, jlaw, josmyers, mcermak, mcoufal, mfabian, pfrankli, ralvaro, sipoyare, skolosov, suraj.ghimire7 |
| Target Milestone: | --- | Flags: | codonell:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Siteshwar Vashisht
2025-04-29 09:14:47 UTC
Thanks for running the analysis. It will certainly take us a long time to evaluate the results. Is it feasible to mark them all as a "baseline" and use that going forward to detect changes? (In reply to Carlos O'Donell from comment #1) > Thanks for running the analysis. It will certainly take us a long time to > evaluate the results. > > Is it feasible to mark them all as a "baseline" and use that going forward > to detect changes? If you only want to review findings introduced in rawhide, they can be seen on the added findings[1] page. See the `+` column in report[2] shared with the Fedora community. [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/glibc-2.41.9000-10.fc43/added.html [2] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/ A significant amount of findings in the full scan report were for the benchmark tests. I have opened a pull request[1] to exclude benchmark tests path to make the reports more useful. [1] https://github.com/openscanhub/known-false-positives/pull/17 (In reply to Siteshwar Vashisht from comment #3) > A significant amount of findings in the full scan report were for the > benchmark tests. I have opened a pull request[1] to exclude benchmark tests > path to make the reports more useful. > > [1] https://github.com/openscanhub/known-false-positives/pull/17 From first principles the benchmarks should always be correct. I've commented on the github PR with alternative suggestions. Siteshwar, I note that we have updated mass scans here: https://svashisht.fedorapeople.org/openscanhub/mass-scans/ However, glibc is not in the list for the f44 scans, why might that be? (In reply to Carlos O'Donell from comment #7) > Siteshwar, > > I note that we have updated mass scans here: > https://svashisht.fedorapeople.org/openscanhub/mass-scans/ > > However, glibc is not in the list for the f44 scans, why might that be? glibc differential scan failed[1] as the base SRPM for Fedora 43 could not be built[2]. [1] https://openscanhub.fedoraproject.org/task/90933/ [2] https://openscanhub.fedoraproject.org/task/90972/log/stdout.log (In reply to Siteshwar Vashisht from comment #8) > (In reply to Carlos O'Donell from comment #7) > > Siteshwar, > > > > I note that we have updated mass scans here: > > https://svashisht.fedorapeople.org/openscanhub/mass-scans/ > > > > However, glibc is not in the list for the f44 scans, why might that be? > > glibc differential scan failed[1] as the base SRPM for Fedora 43 could not > be built[2]. > > [1] https://openscanhub.fedoraproject.org/task/90933/ > [2] https://openscanhub.fedoraproject.org/task/90972/log/stdout.log ~~~ RPM build errors: /usr/bin/ld.bfd: cannot find /usr/lib/libatomic.so.1.2.0: No such file or directory <--[gcc] ~~~ This has since been fixed and was part of the GCC 16 transition. commit 3ca6309421beb8eaa033da5b9c723aecf33f807d Author: DJ Delorie <dj> Date: Tue Jan 6 22:07:58 2026 -0500 Do not try to link glibc32 with libatomic (#2427390) GCC now links libatomic on an "as-needed" basis. However, the build environment doesn't have the 32-bit version during our 64-bit builds, and the link fails because the file is missing. Since it isn't needed anyway, just remove that as-needed from those builds. Since the native builds do not need libatomic (which *is* in the build environment), as-needing them is harmless as the not-needed-ness means there isn't even a DT_NEEDED for them. Is there any way to redo the differential scan? > Is there any way to redo the differential scan? It is documented in the Fedora wiki[1]. I have triggered another scan[2] for glibc. [1] https://fedoraproject.org/wiki/OpenScanHub [2] https://openscanhub.fedoraproject.org/task/97738/ (In reply to Siteshwar Vashisht from comment #10) > > Is there any way to redo the differential scan? > > It is documented in the Fedora wiki[1]. I have triggered another scan[2] for > glibc. > > [1] https://fedoraproject.org/wiki/OpenScanHub > [2] https://openscanhub.fedoraproject.org/task/97738/ The scan has failed again as this commit[1] is not there in the Fedora 43 glibc package. I have triggered another scan[1] by adding custom `-fno-link-libatomic` flag for the Fedora 43 build. [1] https://src.fedoraproject.org/rpms/glibc/c/3ca6309421beb8eaa033da5b9c723aecf33f807d [2] https://openscanhub.fedoraproject.org/task/97741/ |