[cfe-dev] Clang Analysis of several open source projects.
David Smith
catfish.man at gmail.com
Thu May 12 10:16:17 PDT 2011
On May 12, 2011, at 9:51 AM, John Smith wrote:
> On Thu, May 12, 2011 at 6:47 PM, Ben Laurie <benl at google.com> wrote:
>>
>> Experience with static analysis says that almost all the issues will be
>> false positives (at least in openssl).
>>
> This is indeed the argument against static analysis that I hear from
> developers. But if this is universally known to be true, then why
> bother with static analysis in the first place ? Isnt this part of the
> project just a waste of time then ?
>
>
> Regards,
>
>
> John Smith.
Sorting out 50 real bugs from a few hundred analyzer results is vastly easier than finding them in 200,000 lines of code. The static analyzer is a tool (and a very useful one!), not a miracle. False positives can also point out code that's difficult to reason about and might be good to refactor.
David
More information about the cfe-dev
mailing list