PlaneShift

Development => Development Deliberation => Topic started by: lbalbalba on June 18, 2012, 06:06:37 pm

Title: static src analysis for fun and profit
Post by: lbalbalba on June 18, 2012, 06:06:37 pm: Hi,

I have been playing around with the llvm/clang static source code analyzer (http://clang.llvm.org/get_started.html) for a while, and thought it might be fun to run it on the planeshift source code. Even though especially the c++ analyzer is still viewed as alpha quality at this time, for those interested the results might be interesting and can be found here :

http://www.lbalbalba.url.ph/clang/planeshift/

Regards,

John Smith.

Edit: Updated to the planeshift svn
Title: Re: static src analysis for fun and profit
Post by: Mordaan on July 02, 2012, 04:15:18 pm: Hah, interesting.

When you have a project as old as this one now with so many contributors over the years, the code could probably use a periodic analysis/clean up. Who knows, maybe this can lead to solving some of those crashes. :whistling:
Title: Re: static src analysis for fun and profit
Post by: LigH on July 02, 2012, 04:30:51 pm: Reading compiler warnings would possibly be a first step before this giant leap. And be careful, automated analyzers aren't smarter than their programmers...
Title: Re: static src analysis for fun and profit
Post by: lbalbalba on July 02, 2012, 05:43:55 pm: Quote from: LigH on July 02, 2012, 04:30:51 pm
be careful, automated analyzers aren't smarter than their programmers...
This is very true. Especially when the C++ (not the C) analyzer is still considered to be in the beta stage at this point in time. However, I still think that it might be useful if a developer that has decent knowledge of the overall codebase took a look at the report. And if one would have the extra time and be really interested in this, one could also aid in improving the analyzer by posting 'false positives' against the Clang Static Analyzer component in the llvm-clang bug tracker: http://llvm.org/bugs/ (http://llvm.org/bugs/)

And I do remember a developer state one time, that if an analyzer cant make sense of the code, that that might mean that piece of code is a good candidate for refactoring.

Anyway, thanks for all the responses so far.

PS: compiler warnings aren't smarter than their programmers either ;)
Title: Re: static src analysis for fun and profit
Post by: lbalbalba on February 24, 2014, 09:07:34 am: Updated to the latest planeshift svn and llvm/clang svn:

http://www.lbalbalba.url.ph/clang/planeshift/
Title: Re: static src analysis for fun and profit
Post by: lbalbalba on March 13, 2014, 09:27:28 pm: Updated to the latest planeshift svn (r9332) and llvm/clang svn (r203802) once more:

http://www.lbalbalba.url.ph/clang/planeshift/ (http://www.lbalbalba.url.ph/clang/planeshift/)
Title: Re: static src analysis for fun and profit
Post by: Sen on March 14, 2014, 07:07:13 pm: There are no security-related bugs mentioned (not counting e.g. the null dereference and use after free). Was security a part of the test scenario?
Title: Re: static src analysis for fun and profit
Post by: derula on March 14, 2014, 09:08:21 pm: FYI: lbalbalba's site is being blocked by F-Secure as malicious.
Title: Re: static src analysis for fun and profit
Post by: lbalbalba on March 14, 2014, 09:18:45 pm: Quote from: derula on March 14, 2014, 09:08:21 pm
FYI: lbalbalba's site is being blocked by F-Secure as malicious.
Really ? That sucks. big bad booo f-secure !
Title: Re: static src analysis for fun and profit
Post by: lbalbalba on March 14, 2014, 09:20:26 pm: Quote from: Sen on March 14, 2014, 07:07:13 pm
There are no security-related bugs mentioned (not counting e.g. the null dereference and use after free). Was security a part of the test scenario?
security is not a separate goal for the scanner. it attempts to find *all* bugs, security related or not.