[cfe-dev] Clang Analysis of several open source projects.

Török Edwin edwintorok at gmail.com
Thu May 12 10:10:43 PDT 2011


On 05/12/2011 07:51 PM, John Smith wrote:
> On Thu, May 12, 2011 at 6:47 PM, Ben Laurie <benl at google.com> wrote:
>>
>> Experience with static analysis says that almost all the issues will be
>> false positives (at least in openssl).
>>
> This is indeed the argument against static analysis that I hear from
> developers. But if this is universally known to be true, then why
> bother with static analysis in the first place ? Isnt this part of the
> project just a waste of time then ?

Sometimes it finds a few real bugs. I think it found 5 or 10 bugs in
ClamAV in the past years.
The signal-to-noise ratio is quite high though, and some reports require
careful analysis just to determine whether clang's annotated execution
path is possible at all.

The bugs it found were a few NULL derefs, one division by zero, and a
few uninitialized value usage.

Best regards,
--Edwin



More information about the cfe-dev mailing list