NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: static analysis on NetBSD code.

At Thu, 13 Jan 2011 15:48:26 +0530,
nikunj badjatya wrote:
> Hi All,
> I read about about Coverity tool and its deployment in NetBSD codes. "
> I myself have ran various Static Code Analyzers and found various issues
> with the NetBSD codes.

There are numerous static analysis tools employing different
techniques to achieve different goals. For example, some tools analyze
the structure of the code and build a representation that can then
help better understand the source code structure and/or point towards
potential problems of the structure (e.g. a file defining 5000
functions looks suspicious). Other analyzers use some simple rules to
highlight suspicious code portions/structure (e.g. flawfinder). Then
there are more heavy-weight tools like Dehydra/Treehydra that expose
the compiler's internal representation to user Javascript scripts. The
user can then implement her/his own analyses in Javascript. Yet
another tool, Frama-C, uses a specification language called ACSL, and
supports the programmer in verifying that the source code really
implements the specification.

It's a fundamental truth of CS that there cannot be an algorithm
statically analyzing a non-trivial runtime property (e.g. "can there
be a run where this variable holds a 0"). So the best we can hope for
are tools that approximate this algorithm (get it right in some common
but interesting cases).

> 1. I want to know how much reliable are these SCA's ?

That would depend on the analyzers claim: what does it do and what
does it claim to achieve? 

> 2. And can anyone tell me about the way these SCA's work? as in to analyze
> say fread.c , What input does these tools supply to check the functionality
> of the code.
> 3. I couldnt find the Coverity Tool scan report for NetBSD codes. Can anyone
> provide me with it.?
> 4. Which is the best among all SCA's ?

As indicated above: they all have very different approaches, goals,
and techniques. "Best" would depend on your specific purpose and

Hope this helps and best regards,


Attachment: pgptFBuazsTwj.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index