Static Analysis: results of FUDcon Lawrence hackfest

David Malcolm dmalcolm at redhat.com
Fri Jan 25 15:58:57 UTC 2013


On Fri, 2013-01-25 at 08:01 -0700, Jerry James wrote:
> On Fri, Jan 25, 2013 at 5:16 AM, Kamil Dudka <kdudka at redhat.com> wrote:
> > On Thursday, January 24, 2013 14:11:11 Jerry James wrote:
> >> It is not, but see http://jjames.fedorapeople.org/blast/ for an
> >> experimental RPM.  If we could get the Vampyre developers to remove
> >> "for research purposes only" from their license, we could get both
> >> Vampyre and BLAST into Fedora.
> >>
> >> Note that we also have why and why3 in Fedora, by the way.
> >
> > The above tools are not bug finding tools.  They will not give you a list
> > of bugs detected in the input program.  You need to specify a property to
> > verify and the tools then return a yes/no answer, supported by a (usually
> > hard to read) counter-example.  Such tools are not intended for a fully
> > automatic static analysis.
> >
> > Kamil
> 
> David mentioned Frama-C, so I thought he would be interested in these
> tools, too.
I mentioned it mostly because it was listed on the big list of analysis
tools on 
http://www.dwheeler.com/flawfinder/
and seems to be relatively sophisticated.  I've not used it myself yet
beyond installing it and trying (unsuccessfully) to get it to compile
some of the .c files in python-ethtool (which is the test srpm I've been
using).

But yeah, what I'm looking for are code analyzers that can be run in
automated fashion without needing extensive configuration, and that will
emit a list of warnings about the code, that (hopefully) are worth
looking at.

I'm going for low-hanging fruit here: given the list of analyzers we
already have working in mock-with-analysis, we may have enough to try
building a nice UI to get sane information from the results.

Thanks
Dave



More information about the devel mailing list