[cfe-dev] my experience with clang

Ted Kremenek kremenek at apple.com
Sun Jan 13 12:57:42 PST 2008 

On Jan 13, 2008, at 8:17 AM, Nuno Lopes wrote:

>>>
>>> and if the ones before are not initialized unnecessarily.
>>
>> This one I'm not certain what you mean.  I'm not certain what you  
>> mean  by "not initialized unnecessarily."
>
> expanding the previous example:
>
> 1: char *str = NULL;
> 2: int str_len, number = 3;
> 3:
> 4: if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &str, &str_len,  
> &number) == FAILURE) {
> 5:     return;
> 6: }
> 7:
> 8: printf("got the string: %s and the number: %d\n", str, number);
>
> in this case the 'str' didn't need to be initialized, because it is  
> guaranteed that after line 6 it was filled in by  
> zend_parse_parameters. 'number' needs to be initialized, because it  
> is used in line 8 and it isn't guaranteed that zend_parse_parameters  
> will fill it in.

Got it.  Makes sense.

>> I'm not proposing, however, that we implement ESC/Java for clang,  
>> although a subset of those features might be extremely useful, as  
>> it  is better to encode such properties concerning the contract  
>> associated  with a function's interface in the actual source code  
>> (e.g. header  files) instead of hardwiring such knowledge into a  
>> specific tool.   This not only allows the tool to become more  
>> extensible as more code  is annotated, but also means that the  
>> knowledge is more portable, and  doesn't die out when a specific  
>> tool dies out.
>
> Uhm, interesting.. I wasn't aware of this ESC/Java tool. I'll  
> investigate it further, thanks.

Keep in mind that ESC/Java was a research project, and not something  
that was deployed on a wide scale.  There are some interesting lessons  
from that project, including that annotations can be a huge burden to  
users if not used measuredly.  We can discuss this more if you are  
interested.

Another (more recent) use of annotations was at Microsoft, where they  
developed "SAL" (Standard Annotation Language) for annotating  
functions for use in buffer overrun detection.  The goal was to  
provide enough annotations that they could *verify* the absence of  
annotations in many cases:

   http://msdn2.microsoft.com/en-us/library/ms235402(VS.80).aspx

The one trick is that to use annotations in this way required some  
colossal effort by Microsoft engineers (and management), but the hope  
was that by using the annotations they would be safe from certain  
classes of security bugs (at least for the code that they annotated).

More information about the cfe-dev mailing list