At Thu, 13 Jan 2011 15:48:26 +0530, nikunj badjatya wrote: > > Hi All, > > I read about about Coverity tool and its deployment in NetBSD codes. " > http://www.feyrer.de/NetBSD/bx/blosxom.cgi/nb_20060316_1655.html"; > I myself have ran various Static Code Analyzers and found various issues > with the NetBSD codes. > There are numerous static analysis tools employing different techniques to achieve different goals. For example, some tools analyze the structure of the code and build a representation that can then help better understand the source code structure and/or point towards potential problems of the structure (e.g. a file defining 5000 functions looks suspicious). Other analyzers use some simple rules to highlight suspicious code portions/structure (e.g. flawfinder). Then there are more heavy-weight tools like Dehydra/Treehydra that expose the compiler's internal representation to user Javascript scripts. The user can then implement her/his own analyses in Javascript. Yet another tool, Frama-C, uses a specification language called ACSL, and supports the programmer in verifying that the source code really implements the specification. It's a fundamental truth of CS that there cannot be an algorithm statically analyzing a non-trivial runtime property (e.g. "can there be a run where this variable holds a 0"). So the best we can hope for are tools that approximate this algorithm (get it right in some common but interesting cases). > 1. I want to know how much reliable are these SCA's ? That would depend on the analyzers claim: what does it do and what does it claim to achieve? > 2. And can anyone tell me about the way these SCA's work? as in to analyze > say fread.c , What input does these tools supply to check the functionality > of the code. > 3. I couldnt find the Coverity Tool scan report for NetBSD codes. Can anyone > provide me with it.? > 4. Which is the best among all SCA's ? As indicated above: they all have very different approaches, goals, and techniques. "Best" would depend on your specific purpose and requirements. Hope this helps and best regards, Marko
Attachment:
pgptFBuazsTwj.pgp
Description: PGP signature