[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Re: Adding Flawfinder to Patchwatcher
From:       "Rob Shearman" <robertshearman () gmail ! com>
Date:       2008-08-31 13:03:38
Message-ID: 1096648c0808310603k2b5c2be9if93a9a5b77cdfd44 () mail ! gmail ! com
[Download RAW message or body]

2008/8/28 Austin English <austinenglish@gmail.com>:
> I had a discussion with Dan about adding Flawfinder to the
> patchwatcher. Currently, it's got some pretty generic errors, but it
> seems able to test only patches, so we wouldn't be flooded with old
> nonbugs (or we could set up a blacklist of safe errors). For
> reference, I've run it on today's git. I'm attaching the full log, as
> well as a condensed version of the most common errors (1 per error
> type). Looks like a lot of chances for buffer overflows..
>
> Thoughts?

Too many false positives to make it worth using. Just because you use
strcpy, for example, it doesn't mean your program has a chance for a
buffer overflow; it's using strcpy with a destination buffer that
might not be large enough that causes buffer overflows.

Having some kind of static analysis done on patches before Alexandre
commits them is a good idea, but I don't think Flawfinder is the right
static analysis tool to use.

Coverity and Prefast are both static analysis tools with a bit more
intelligence that identify bad code rather than just using "bad"
functions. Other people may be able to suggest more good tools.

-- 
Rob Shearman


[prev in list] [next in list] [prev in thread] [next in thread]