[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [sarif] RE: codeFlowLocation.location not required
Come to think of it, two different code flows could refer to the same location, and likewise two different stack frames, so we don’t even need to appeal to recursion to justify restoring stackFrame.message.
TL;DR: We can make codeFlowLocation optional, but then we need codeFlowLocation.message (and stackFrame.message).
In Michael’s scenario, we’d want to associate a message like “Resource was locked” with a codeFlowLocation. Now, when we did the location redesign (#130), we removed annotatedCodeLocation.message, because we reasoned “codeFlowLocation has a location property, and the location object has a message property, so we don’t need codeFlowLocation.message.”
But in Michael’s scenario, codeFlowLocation can’t rely on location.message, so codeFlowLocation needs a message of its own. In fact, we should never have allowed codeFlowLocation to rely on location.message, because the same code flow could hit the same location multiple times. And the same is true for stackFrame, if the stack has a recursive call.
I filed two CSD.1 issues:
“at this point in time, an unknown external resource locks a file”
… sounds like a plausible use for this. You can probably think of others. Unless anyone objects, I’ll make that change in the spec.
Well, the SDV team found it useful to capture the notion of a location-free ‘continuance’ kind. You can think of this record as a kind of location-free ‘edge’ between to interesting locations. You could imagine trying to produce an actual location for this part of the execution flow but the SDV team apparently didn’t find that helpful as far as building its viewer experience is concerned.
I’ve thought about this a bit and I wonder whether we shouldn’t loosen the restriction. If you think about concurrent analyses in particular, they might be developed against execution that has more to do with the synchronization/ordering of various things (like resource access) rather than a specific location. And so you can imagine a tool that might provide a speculative entry intended to represent, e.g., ‘at this point in time, an unknown external resource locks a file’. There would be no location for the code flow element to represent this. Obviously, other parts of the code flow (covering the code in question that needs to be proof against unexpected file locks) would have location details.
When I made the location changes (#130), I wrote in the spec that codeFlowLocation.location is required. Seems sensible, right?
But when Chris made the SDK changes, he found that the SDV converter sometimes creates code flow locations with no location-related information. If we make codeFlowLocation.location required, these code flow locations end up with an emptylocation object:
Is this a converter bug, or does it really make sense for a codeFlowLocation to have no location property?