<div dir="ltr"><div><div><div>Hi, Lucas, Jordan:<br><br></div>About the division by zero checking, I run this:<br><br></div><div>scan-build --use-analyzer /usr/bin/clang -o buildres/ clang -c -I testcasesupport -DOMITGOOD testcases/CWE369_Divide_by_Zero/s02/CWE369_Divide_by_Zero__int_zero_divide_01.c -o /dev/null<br>
<br></div><div>and I get the warnng:<br><br>testcases/CWE369_Divide_by_Zero/s02/CWE369_Divide_by_Zero__int_zero_divide_01.c:30:22: warning: Division by zero<br> printIntLine(100 / data);<br> ~~~~^~~~~~<br>
<br></div><div>So, Lucas, which file was failing for you?<br></div><div><br>Regarding the experience, here it is what I gathered till now:<br><br>I created a very huge file_list.txt, containing the source files to compile (I used 'find -name *.c*' in the juliet directory), then filtered away the 'main\.c', 'main_linux\.c' and 'testcasesupport' files (grep -v), which have nothing to check, then I sorted the list by CWE number (I had to do manual sorting because I couldn't manage to sort, for example, CWE15_* and CWE114_* correctly).<br>
<br>Since I can't check for win32-only tests (I'm using linux), I filtered them via 'grep -v w32' and 'grep -v wchar_t' (some tests require a 'fopen'-like function with wchar_t string, which seems to be exclusive to win32).<br>
<br></div>Regarding the per-translation-unit analysis, some files are, indeed, separated sources for a program, so I didn't hesitate to filter them with these patterns, according to the manual: "[abcdeBG]\.c" and "good1" (last was associated with a 'bad' file, which was already filtered).<br>
<br></div><div>With this file_lists.txt, I run the static analyzer only for the false positives, with this command:<br><br>< file_list.txt xargs -n 1 scan-build --use-analyzer /usr/bin/clang -disable-checker deadcode.DeadStores -o buildres/ clang -c -I testcasesupport -DOMITBAD -o /dev/null > /dev/null 2> warns.txt<br>
<br></div><div>so, it checks all the files in the file list, saves the results in buildres and reports the warnings in warns.txt file, ignoring the DeadStores warns because they're reported a lot often.<br><br></div>
<div>Well, there are tons of false positives, caused by the flow variants which involve global and static variables, shadow variables usage, etc.<br><br></div><div>To the devs, I'd like to know which CWE are you interested, from the list I attached on that email: <a href="http://lists.cs.uiuc.edu/pipermail/cfe-dev/2014-February/035113.html">http://lists.cs.uiuc.edu/pipermail/cfe-dev/2014-February/035113.html</a> .<br>
<br></div><div>About the results, if I have more time, I'll post some of them.<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-02-18 2:05 GMT+01:00 Lucas Kanashiro <span dir="ltr"><<a href="mailto:kanashiro.duarte@gmail.com" target="_blank">kanashiro.duarte@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks Jordan!<br>
<br>
Could you leave me updated on the matter? I am so interested in this,<br>
and if it is necessary and possible i want to help to solve the<br>
potential issue.<br>
<br>
Edward, can you tell us your experience with Clang and Juliet Test<br>
Suite?<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Mon, 2014-02-17 at 09:43 -0800, Jordan Rose wrote:<br>
> Hi, Lucas. The analyzer currently runs a per-translation-unit analysis, so it misses some bugs that whole-program analysis may be able to catch. I'm guessing that's the reason it's unable to catch this particular issue.<br>
><br>
> In general, the analyzer is set for reasonably fast turnaround (depending on the size of the project, of course), so it also might not do a fully precise interprocedural analysis if the state space gets too big. I'd have to see the particular test case to tell what's going on here.<br>
><br>
> I did see that Edward (CC'd) wanted to try bringing in the Juliet Test Suite for the analyzer, but neither I nor Ted (the lead on the analyzer) have gotten the chance to sit down and look at what this would actually entail. It's possible he's encountered similar issues, however.<br>
><br>
> Jordan<br>
><br>
><br>
> On Feb 15, 2014, at 5:58 , Lucas Kanashiro <<a href="mailto:kanashiro.duarte@gmail.com">kanashiro.duarte@gmail.com</a>> wrote:<br>
><br>
> > I am trying to running 'scan-build' in Juliet suite testcase v1.2 (NIST<br>
> > indication) to catch some bugs of 'Division by zero' (CWE 369) and I<br>
> > can't do it, the scan-build can't show me the existing bugs. Did someone<br>
> > try to do it yet?<br>
> ><br>
> > I have a doubt that scan-build can identify a bug of division by zero in<br>
> > this case (when parameter denominator is zero):<br>
> ><br>
> > int divide (int denominator) {<br>
> > return 10/denominator;<br>
> > }<br>
> ><br>
> > Can someone help me? Is this a deficiency of scan-build? Can scan-build<br>
> > identify the bugs in Juliet suite?<br>
> ><br>
> > Thanks in advance!<br>
> ><br>
> > --<br>
> > Lucas Kanashiro Duarte<br>
> > Engenharia de Software - FGA/UnB<br>
> > <a href="mailto:kanashiro.duarte@gmail.com">kanashiro.duarte@gmail.com</a><br>
> ><br>
> > _______________________________________________<br>
> > cfe-users mailing list<br>
> > <a href="mailto:cfe-users@cs.uiuc.edu">cfe-users@cs.uiuc.edu</a><br>
> > <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-users" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-users</a><br>
><br>
<br>
--<br>
Lucas Kanashiro Duarte<br>
Engenharia de Software - FGA/UnB<br>
<a href="mailto:kanashiro.duarte@gmail.com">kanashiro.duarte@gmail.com</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Mathematics is the language with which God has written the universe. (Galilei)
</div>