[cfe-dev] Clang Analysis of several open source projects.
Joel Sherrill
joel.sherrill at OARcorp.com
Thu May 12 10:16:07 PDT 2011
On 05/12/2011 11:51 AM, John Smith wrote:
> On Thu, May 12, 2011 at 6:47 PM, Ben Laurie<benl at google.com> wrote:
>> Experience with static analysis says that almost all the issues will be
>> false positives (at least in openssl).
>>
> This is indeed the argument against static analysis that I hear from
> developers. But if this is universally known to be true, then why
> bother with static analysis in the first place ? Isnt this part of the
> project just a waste of time then ?
>
We have used Coverity on RTEMS and it found a few places
that we could have written clearer, easier to analyse code
and a couple of real bugs.
Other places are questionable. Telling you strn*() is better
than the without 'n' version is not so helpful.
I tried to run it on RTEMS also but the cross nature of
RTEMS got in the way too much and I had to give up.
I am interested. Any bug found by a program is better
than a bug found by a user.
> Regards,
>
>
> John Smith.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
--
Joel Sherrill, Ph.D. Director of Research& Development
joel.sherrill at OARcorp.com On-Line Applications Research
Ask me about RTEMS: a free RTOS Huntsville AL 35805
Support Available (256) 722-9985
More information about the cfe-dev
mailing list