[cfe-dev] Static analysis tool development

[Ben Laurie]

On Sat, Jan 17, 2009 at 3:05 PM, Nikita Zhuk <nikita at zhuk.fi> wrote:
>
> On 17.1.2009, at 1.42, Ted Kremenek wrote:
>
>> [3] The analyzer can be extended with new sets of "checks" by not
>> invasively modifying the analyzer internals.  Such extensibility can
>> be provided with different layers of abstraction from the core
>> analyzer API, with very high-level checks possibly being written in
>> a very high-level manner (e.g., declarative) while some checks
>> requiring more direct access to the core analyzer APIs.  Both ends
>> of the spectrum are important because some checks will require
>> sophisticated algorithms with deep reasoning about the program while
>> others might be much simpler and just clue off of common interfaces
>> and APIs.
>
> I thought I could comment on that a little. As Ted said, it's possible
> to extend analyzer with new sets of checks without large
> modifications. At our company we have combined this possiblity with
> manual code reviews - when a bug is found during a code review, we try
> to implement a static analyzer check which would a) automatically
> check rest of the code for the same problem and b) prevent this
> problem in the future. I have been able to implement some basic checks
> without extensive compiler or C++ background fairly easily into clang
> itself by using the AnalysisManager API. The results have been very
> positive.
>
> If/when clang static analyzer will allow easy extensibility as Ted
> described in option [3], it would be very interesting to see if clang
> user community could come up with some collaborative way of sharing
> various custom checks as pluggable & configurable components. A wiki,
> perhaps? I think that sharing programming experience and knowledge as
> clang analyzer checks for common programming errors and best practices
> would be useful for open source community.

What would be wrong with just integrating them into the source and
having them invdividually enableable?