Last Comment Bug 430328 - (analyses) Tracking: static analyses
(analyses)
: Tracking: static analyses
Status: NEW
: meta
Product: Core
Classification: Components
Component: Rewriting and Analysis (show other bugs)
: Trunk
: All All
: -- normal with 6 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: 172937 424420 427115 436342 449623 455536 455595 457003 477432 478264 482373 483714 488360 489914 492137 492185 500864 500866 500868 500874 500875 500876 503619 508133 508163 517370 520626 522776 525063 526309 528206 529382 535646 536427 542364 545052 551569 557565 564858 601522 669808 672389 685266 772601 773217 1114683 1285918 420933 421934 423032 424416 428465 432915 432917 435814 450777 452357 455742 455792 455806 455919 455943 456099 deadcode 480516 480521 488941 492257 500860 500870 502775 callgraph 512868 522774 526143 541220 551286 570416 573786 602122 645498 858320
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-22 13:29 PDT by (dormant account)
Modified: 2016-07-11 04:07 PDT (History)
27 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
cppcheck static analysis 2009-02-27, 290 lines (36.58 KB, text/plain)
2009-02-27 04:06 PST, georgi - hopefully not receiving bugspam
no flags Details

Description (dormant account) 2008-04-22 13:29:53 PDT
This is to make it easier to track ongoing analyses involving *hydras and Pork.
Comment 1 David Rajchenbach-Teller [:Yoric] (please use "needinfo") 2008-05-14 22:32:33 PDT
What kind of analyses are expected ?
Comment 2 (dormant account) 2008-05-15 09:20:50 PDT
This is a tracking bug. "Depends on" lists the analyses under way.
Comment 3 georgi - hopefully not receiving bugspam 2008-06-20 05:16:43 PDT
i am not familiar with hydra yet.

here are some random thoughts.

code analysis tools can't be made perfect, so the primary goal should
be to be effective imho.

refactoring kinda scares me - debugging a program generated by a
program generated by program is hard if possible at all.

besides a systematic scientific approach, i suggest additional
heuristic/chaotic approach - checking for blacklisted constructs that
may be dangerous - basically gcc's -Wall on steroids.

off the top of my head some checks that may help:
1. assignment in |if| - e.g. |if (a = 1)|. in some cases this
is valid, yet it may be a bug
2. misuse of preprocessing macros - macros changing stuff in unexpected
ways, e.g. in pseudocode
#define max(a,b) ((a)>(b) ? (a) : (b))

...
c=max(a++,b++);

this example is kinda fabricated, though i reported a real bug because
of similar misuse

very useful but probably hard to implement feature will be value
reachability:

on line X in file Y what are the possible values of int variable Z ?
basically Z may be anything, it may be just a singe number, it may be
in a given range or in a finite set of ranges.


Comment 4 georgi - hopefully not receiving bugspam 2009-02-27 04:06:48 PST
Created attachment 364503 [details]
cppcheck static analysis 2009-02-27, 290 lines
Comment 5 georgi - hopefully not receiving bugspam 2009-02-27 04:10:52 PST
cppcheck seems interesting static analysis tool:
http://sourceforge.net/project/showfiles.php?group_id=195752&package_id=231124&release_id=657693

bugs found by it:
http://cppcheck.wiki.sourceforge.net/found_bugs

seems nice their goal is to keep false positives very low (sure there are FP)
Comment 6 georgi - hopefully not receiving bugspam 2009-03-17 03:51:45 PDT
> 1. assignment in |if| - e.g. |if (a = 1)|

FYI:
i patched cppcheck to search for this. the way cppcheck works i am not sure i caught all cases. caught 2 occurrences of this and they look legitimate to me.
Comment 7 georgi - hopefully not receiving bugspam 2009-04-07 03:56:57 PDT
i am investigating using hydra for security stuff.

http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCrypto.cpp#384

while (isspace(*end)) end--;

this will crash in layout:
<UNMAPPED> <SPACES> end

is it worth a bug?

can hydra check for constructs like:

while( SINGLECONDITION( *ptr ) ) ptr--;
or
while( SINGLECONDITION( *ptr ) ) --ptr;

i think both of the above are in most cases real crashes.

Note You need to log in before you can comment on or make changes to this bug.