static src analysis for fun and profit

[lbalbalba]

Hi,

I have been playing around with the llvm/clang static source code analyzer (http://clang.llvm.org/get_started.html) for a while, and thought it might be fun to run it on the planeshift source code. Even though especially the c++ analyzer is still viewed as alpha quality at this time, for those interested the results might be interesting and can be found here :


http://www.lbalbalba.url.ph/clang/planeshift/


Regards,


John Smith.

Edit: Updated to the planeshift svn

[Mordaan]

Hah, interesting.

When you have a project as old as this one now with so many contributors over the years, the code could probably use a periodic analysis/clean up.  Who knows, maybe this can lead to solving some of those crashes.   

[LigH]

Reading compiler warnings would possibly be a first step before this giant leap. And be careful, automated analyzers aren't smarter than their programmers...

[lbalbalba]

be careful, automated analyzers aren't smarter than their programmers...

This is very true. Especially when the C++ (not the C) analyzer is still considered to be in the beta stage at this point in time. However, I still think that it might be useful if a developer that has decent knowledge of the overall codebase took a look at the report. And if one would have the extra time and be really interested in this, one could also aid in improving the analyzer by posting 'false positives' against the Clang Static Analyzer component in the llvm-clang bug tracker: http://llvm.org/bugs/


And I do remember a developer state one time, that if an analyzer cant make sense of the code, that that might mean that piece of code is a good candidate for refactoring.

Anyway, thanks for all the responses so far.

PS: compiler warnings aren't smarter than their programmers either

[lbalbalba]

Updated to the latest planeshift svn and llvm/clang svn:

http://www.lbalbalba.url.ph/clang/planeshift/

[lbalbalba]

Updated to the latest planeshift svn (r9332) and llvm/clang svn (r203802) once more:

http://www.lbalbalba.url.ph/clang/planeshift/

[Sen]

There are no security-related bugs mentioned (not counting e.g. the null dereference and use after free). Was security a part of the test scenario?

[derula]

FYI: lbalbalba's site is being blocked by F-Secure as malicious.

[lbalbalba]

FYI: lbalbalba's site is being blocked by F-Secure as malicious.

Really ? That sucks. big bad booo f-secure !

[lbalbalba]

There are no security-related bugs mentioned (not counting e.g. the null dereference and use after free). Was security a part of the test scenario?

security is not a separate goal for the scanner. it attempts to find *all* bugs, security related or not.