[cfe-dev] Clang Analysis of several open source projects.
Joel Sherrill
joel.sherrill at OARcorp.com
Thu May 12 10:50:29 PDT 2011
On 05/12/2011 12:16 PM, David Smith wrote:
> On May 12, 2011, at 9:51 AM, John Smith wrote:
>
>> On Thu, May 12, 2011 at 6:47 PM, Ben Laurie<benl at google.com> wrote:
>>> Experience with static analysis says that almost all the issues will be
>>> false positives (at least in openssl).
>>>
>> This is indeed the argument against static analysis that I hear from
>> developers. But if this is universally known to be true, then why
>> bother with static analysis in the first place ? Isnt this part of the
>> project just a waste of time then ?
>>
>>
>> Regards,
>>
>>
>> John Smith.
> Sorting out 50 real bugs from a few hundred analyzer results is vastly easier than finding them in 200,000 lines of code. The static analyzer is a tool (and a very useful one!), not a miracle. False positives can also point out code that's difficult to reason about and might be good to refactor.
>
Agreed. If an analyser has trouble reasoning
about a piece of code, you have to wonder
that code. RTEMS reworked a lot of code between
doing static analysis and performing instruction
level test coverage.
> David
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
--
Joel Sherrill, Ph.D. Director of Research& Development
joel.sherrill at OARcorp.com On-Line Applications Research
Ask me about RTEMS: a free RTOS Huntsville AL 35805
Support Available (256) 722-9985
More information about the cfe-dev
mailing list