Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Linux - Das System fuer schlaue Maedchen ;) -- banshee

devel / comp.arch.embedded / Re: Static analysis tool?

SubjectAuthor
* Re: Static analysis tool?Dave Nadler
`- Re: Static analysis tool?Don Y

1
Re: Static analysis tool?

<s6mh6p$fs1$1@gioia.aioe.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=390&group=comp.arch.embedded#390

  copy link   Newsgroups: comp.arch.embedded
Path: i2pn2.org!i2pn.org!aioe.org!Tgip5Y7XolJj69PZynN/8Q.user.gioia.aioe.org.POSTED!not-for-mail
From: drn...@nadler.com (Dave Nadler)
Newsgroups: comp.arch.embedded
Subject: Re: Static analysis tool?
Date: Sun, 2 May 2021 11:41:12 -0400
Organization: Aioe.org NNTP Server
Lines: 49
Message-ID: <s6mh6p$fs1$1@gioia.aioe.org>
References: <s5co8v$ck0$1@gioia.aioe.org> <s5erma$1kek$1@gioia.aioe.org>
NNTP-Posting-Host: Tgip5Y7XolJj69PZynN/8Q.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
Content-Language: en-US
X-Notice: Filtered by postfilter v. 0.9.2
 by: Dave Nadler - Sun, 2 May 2021 15:41 UTC

On 4/17/2021 10:34 AM, Dave Nadler wrote:
> On 4/16/2021 3:24 PM, Dave Nadler wrote:
>> Perhaps someone here can help...
>>
>> I'm doing a presentation on techniques for embedded, especially
>> removing and keeping out bugs ;-) Using an example project from last
>> year. A reviewer of my first draft suggested many of the bugs surfaced
>> in the project would have been caught by static analysis - but I
>> haven't had such great luck in the past.
>>
>> Tried CPPcheck, and while it found some less-than-optimal stuff it
>> only found one of the real bugs discussed.
>>
>> Tried to get an evaluation copy of Coverity, but got a wildly annoying
>> and clueless sales person who promises a member of the right team will
>> contact me shortly (Real Soon Now).
>>
>> Bugs I had to fix and amenable to static analysis included:
>> - uninitialized variable (only one found by CPPcheck)
>> - use of magic 0xff index value as subscript off end of array
>> - C macro with unguarded arguments getting wrong answer
>> - use of int8 to index 1kb buffer (so only 256 bytes got used)
>>
>> Anybody able to recommend a tool they've used successfully?
>> Thanks in advance,
>> Best Regards, Dave
>
> Thanks all for the comments. I should have explained this project came
> from elsewhere; landed in my lap to add a minor feature which resulted
> in needing to do lots of debug of existing problems. I even rewrote part
> of it in C++ ;-)  Project is proprietary so Coverity scan is not
> applicable as that's only for FOSS. Only 5 (maybe 6?) of the top dozen
> bugs COULD be found by static analysis but certainly that would have
> been helpful.
>
> If anybody has an hour and would be interested to review the
> presentation first draft video PM me - I can always use some
> constructive comments and suggestions!
>
> Thanks again,
> Best Regards, Dave

Further follow-up: Never heard back from Coverity (as expected).
Tried Perforce Klocworks and got a very perky and slightly less annoying
sales person who promised prompt follow-up, and as usual none was
forthcoming.

Any other static analysis tools you folks can suggest?

Re: Static analysis tool?

<s6mhmb$vnh$1@dont-email.me>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=391&group=comp.arch.embedded#391

  copy link   Newsgroups: comp.arch.embedded
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: blockedo...@foo.invalid (Don Y)
Newsgroups: comp.arch.embedded
Subject: Re: Static analysis tool?
Date: Sun, 2 May 2021 08:49:23 -0700
Organization: A noiseless patient Spider
Lines: 59
Message-ID: <s6mhmb$vnh$1@dont-email.me>
References: <s5co8v$ck0$1@gioia.aioe.org> <s5erma$1kek$1@gioia.aioe.org>
<s6mh6p$fs1$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 2 May 2021 15:49:32 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e7edcc528bc140b1fe96cf5a85da1405";
logging-data="32497"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18gBAjwTR9Brlcst1yyYoZw"
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.1.1
Cancel-Lock: sha1:33mLjbFJGAikOQtKZMZfAdKyEBY=
In-Reply-To: <s6mh6p$fs1$1@gioia.aioe.org>
Content-Language: en-US
 by: Don Y - Sun, 2 May 2021 15:49 UTC

On 5/2/2021 8:41 AM, Dave Nadler wrote:
> On 4/17/2021 10:34 AM, Dave Nadler wrote:
>> On 4/16/2021 3:24 PM, Dave Nadler wrote:
>>> Perhaps someone here can help...
>>>
>>> I'm doing a presentation on techniques for embedded, especially removing and
>>> keeping out bugs ;-) Using an example project from last year. A reviewer of
>>> my first draft suggested many of the bugs surfaced in the project would have
>>> been caught by static analysis - but I haven't had such great luck in the past.
>>>
>>> Tried CPPcheck, and while it found some less-than-optimal stuff it only
>>> found one of the real bugs discussed.
>>>
>>> Tried to get an evaluation copy of Coverity, but got a wildly annoying and
>>> clueless sales person who promises a member of the right team will contact
>>> me shortly (Real Soon Now).
>>>
>>> Bugs I had to fix and amenable to static analysis included:
>>> - uninitialized variable (only one found by CPPcheck)
>>> - use of magic 0xff index value as subscript off end of array
>>> - C macro with unguarded arguments getting wrong answer
>>> - use of int8 to index 1kb buffer (so only 256 bytes got used)
>>>
>>> Anybody able to recommend a tool they've used successfully?
>>> Thanks in advance,
>>> Best Regards, Dave
>>
>> Thanks all for the comments. I should have explained this project came from
>> elsewhere; landed in my lap to add a minor feature which resulted in needing
>> to do lots of debug of existing problems. I even rewrote part of it in C++
>> ;-) Project is proprietary so Coverity scan is not applicable as that's only
>> for FOSS. Only 5 (maybe 6?) of the top dozen bugs COULD be found by static
>> analysis but certainly that would have been helpful.
>>
>> If anybody has an hour and would be interested to review the presentation
>> first draft video PM me - I can always use some constructive comments and
>> suggestions!
>>
>> Thanks again,
>> Best Regards, Dave
>
> Further follow-up: Never heard back from Coverity (as expected).
> Tried Perforce Klocworks and got a very perky and slightly less annoying sales
> person who promised prompt follow-up, and as usual none was forthcoming.
>
> Any other static analysis tools you folks can suggest?

You're not going to find anything of the same caliber as Klocwork/Coverity
in the "discount/FOSS" aisle.

But, as I said, elsewhere, with enough (machine) "eyes" looking at your code,
you may eke out some insights that would evade a normal review.

Look at PVS Studio. ConQAT won't necessarily give you the sorts of flags
that you're likely expecting from a static analysis tool; but, can help with
things like clone detection (more "smells" than actual "problems")

[Of course, there are other tools that do similar things]

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor