You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Jeff Trawick <tr...@gmail.com> on 2011/04/30 20:07:00 UTC

Re: Statical analysis apache 2.3.11

(adding dev@apr, since some of the report covers apr code)

On Sat, Apr 30, 2011 at 1:05 PM, John Smith <lb...@gmail.com> wrote:
> Hi,
>
> Just for fun, I ran the statistical source code analyzer 'clang' on
> the Apache httpd-2.3.11-beta sources. Looks like either the analyzer
> generates way too many false positives, or some stuff needs to be
> looked into.
> ;)
>
> Anyway, for anyone interested, the full results in gzipped html files
> are located here:
> https://sites.google.com/site/apache2scan/clang-scan.tar.gz

There are some harmless bugs, some bugs which are truly useful to fix
beyond "cleanness", and false positives.  I can't tell you how many of
each ;)

I'm sure some of the items will be fixed just because you posted this
(thanks).  Feel free to submit patches yourself.  Many of the
individual reports are tedius to research, only to find that the code
is correct :(

FWLIW, some of us went through one of these reports last year and
cleaned up a bunch of issues that generated clang warnings.

Re: Statical analysis apache 2.3.11

Posted by Jeff Trawick <tr...@gmail.com>.

On Sat, Apr 30, 2011 at 3:47 PM, John Smith <lb...@gmail.com> wrote:
> On Sat, Apr 30, 2011 at 8:07 PM, Jeff Trawick <tr...@gmail.com> wrote:
>> (adding dev@apr, since some of the report covers apr code)
>>
>>
>> There are some harmless bugs, some bugs which are truly useful to fix
>> beyond "cleanness", and false positives.  I can't tell you how many of
>> each ;)
>>
>> I'm sure some of the items will be fixed just because you posted this
>> (thanks).  Feel free to submit patches yourself.  Many of the
>> individual reports are tedius to research, only to find that the code
>> is correct :(
>>
>> FWLIW, some of us went through one of these reports last year and
>> cleaned up a bunch of issues that generated clang warnings.
>>
>
> I honestly didnt realize that clang has been used to analyze Apache
> not too long ago; in the future I guess I should do better research
> before posting stuff.

that wasn't really my point; I'm sure that your posting will prompt
some new fixes (i.e., "good for you")

>
> Im sorry to hear that there were quite a few false positives. Please
> note that the devs of clang are very interested in reducing the amount
> of false positives that it finds. So if someone does find a false
> positive, perhaps it would be nice to report it :
>
> http://clang-analyzer.llvm.org/filing_bugs.html
>
> Of course, that requires serious effort, which people may simply be
> unable to offer.

Re: Statical analysis apache 2.3.11

Posted by Jeff Trawick <tr...@gmail.com>.

On Sat, Apr 30, 2011 at 3:47 PM, John Smith <lb...@gmail.com> wrote:
> On Sat, Apr 30, 2011 at 8:07 PM, Jeff Trawick <tr...@gmail.com> wrote:
>> (adding dev@apr, since some of the report covers apr code)
>>
>>
>> There are some harmless bugs, some bugs which are truly useful to fix
>> beyond "cleanness", and false positives.  I can't tell you how many of
>> each ;)
>>
>> I'm sure some of the items will be fixed just because you posted this
>> (thanks).  Feel free to submit patches yourself.  Many of the
>> individual reports are tedius to research, only to find that the code
>> is correct :(
>>
>> FWLIW, some of us went through one of these reports last year and
>> cleaned up a bunch of issues that generated clang warnings.
>>
>
> I honestly didnt realize that clang has been used to analyze Apache
> not too long ago; in the future I guess I should do better research
> before posting stuff.

that wasn't really my point; I'm sure that your posting will prompt
some new fixes (i.e., "good for you")

>
> Im sorry to hear that there were quite a few false positives. Please
> note that the devs of clang are very interested in reducing the amount
> of false positives that it finds. So if someone does find a false
> positive, perhaps it would be nice to report it :
>
> http://clang-analyzer.llvm.org/filing_bugs.html
>
> Of course, that requires serious effort, which people may simply be
> unable to offer.

Re: Statical analysis apache 2.3.11

Posted by John Smith <lb...@gmail.com>.

On Sat, Apr 30, 2011 at 8:07 PM, Jeff Trawick <tr...@gmail.com> wrote:
> (adding dev@apr, since some of the report covers apr code)
>
>
> There are some harmless bugs, some bugs which are truly useful to fix
> beyond "cleanness", and false positives.  I can't tell you how many of
> each ;)
>
> I'm sure some of the items will be fixed just because you posted this
> (thanks).  Feel free to submit patches yourself.  Many of the
> individual reports are tedius to research, only to find that the code
> is correct :(
>
> FWLIW, some of us went through one of these reports last year and
> cleaned up a bunch of issues that generated clang warnings.
>

I honestly didnt realize that clang has been used to analyze Apache
not too long ago; in the future I guess I should do better research
before posting stuff.

Im sorry to hear that there were quite a few false positives. Please
note that the devs of clang are very interested in reducing the amount
of false positives that it finds. So if someone does find a false
positive, perhaps it would be nice to report it :

http://clang-analyzer.llvm.org/filing_bugs.html

Of course, that requires serious effort, which people may simply be
unable to offer.