Re: static analysis on NetBSD code.

[Fritz Wuehler <fritz%spamexpire-201101.rodent.frell.theremailer.net@localhost>]

Thor Lancelot Simon <tls%panix.com@localhost> wrote:

> On Thu, Jan 13, 2011 at 03:48:26PM +0530, nikunj badjatya wrote:
> > Hi All,
> > 
> > I myself have ran various Static Code Analyzers and found various issues
> > with the NetBSD codes.

First of all, the plural of code is code. You look like an idiot when you
write "NetBSD codes." (I'm responding to the previous H1B poster here, not
TLS.)

> I think you mean "what these analyzers claim are various issues with
> the NetBSD code".

Exactly. I remember an intiative by the idiots where I once worked to "clean
up" our code by calling in various vendors and consultants to run analyzers
over it code and "point out all the problems." That's what can happen when
you hire MBAs who haven't written a line of code in their lives for managers
and don't know anything about the business you're in. Lucky for NetBSD this
isn't an issue.

One of the most famous vendors was chosen and they proceeded to come in and
produce all sorts of amazing visuals and reports that showed our code was by
all measurable metrics, a total fucking disaster. We had a nice meeting with
the developers, managers, and the analyzer salesman and his sales support
guy. Our management was ready to spend big money to buy this amazing
tool. Looking over the results in this meeting was just a formality. The
deal was all but done.

Then...

I asked the Lead Asshole, "do you understand that in your analysis you
penalize error checking and handling errors out of line, both of which are
necessary and correct ways of doing business in the software we're writing
in assembler?"

"Ah, well yes. We measure how structured the code is which may not
necessarily apply to your code. It's more for applications programs in C and
COBOL."

"Do you realize I could get your analysis tools to produce fantastic
metrics on our code simply by deleting all the sanity checks and all the
error handling?"

"Well yes, because it's not structured."

"So you're saying I could delete all the error checking, error handling and
diagnostics and your reports would say our code was pretty close to perfect?
I mean you would have no way to distinguish between code actually being good
or bad and would say it's good just because we don't branch? Your static
analysis can't tell that most of these branches are for impossible
conditions and the path is actually not what it looks like on paper, isn't
that right?"

"Well yes I guess you could say that."

PLONK. Needless to say, they were invited out of the building and we didn't
buy their shitty tool. And our management had to eat their hats on that day
too, because it was obvious they also had their heads up their asses. The
good news was they never bothered us again.

> I have little trust for static analyzers other than Coverity (which
> must be used with care) and possibly the rumored IBM "BEAM".

I haven't seen Coverity or BEAM but my impression is good developers are
writing and fixing code, not working for vendors writing shitty static code
analysis tools. I might trust a tool from the same company who actually
writes and supports a compiler, because those guys are sharp as hell, but
the code analysis camp is a bunch of failures who know more about GUI and
whiz-bang reports than they do about actually doing something productive in
code. Static analysis is pretty much worthless and so are the people who
sell it or use it or rely on it. If your compiler can't help with static
issues and your developers can't figure out how to write good code, no
amount of static analysis is ever going to save your worthless asses.

If you're not an expert developer you have no way to assess code, and that
includes interpreting output from these shitty tools. I haven't seen NetBSD
code and I couldn't assess it if I did since I don't work in C. I'm sure
NetBSD would appreciate specific comments on actual issues from informed
people, but dicking around with brand-X crap and then complaining about it
wastes peoples' time and makes you look like a real asshole.