Friday, August 30, 2024

Re: how accurate or helpful is scan-build-16 in clang-16 in identifying bugs / issues in code at build time ?

Folks thanks for that 

ill keep it in mind.. next thing is to somehow mark reviewed and confirmed  false positives as part of the build / release process... 
thanks agiain



On Tue, 27 Aug 2024 at 15:27, Florian Obser <florian@openbsd.org> wrote:
On 2024-08-27 15:35 +02, Janne Johansson <icepic.dz@gmail.com> wrote:
> Den mån 26 aug. 2024 kl 00:14 skrev Tom Smyth <tom.smyth@wirelessconnect.eu>:
>> Folks,
>> Im just wondering what other porters experience of  scan-build  for the projects that you are maintaining ?
>> has it been useful in identifying bugs?... or is the analysis engine too basic  or shallow to properly analyse code ?
>
> When I run it on "openbsd" code, the things it finds are often super
> deep, requiring 37 steps and that syscalls or libc calls return 0 when

yeah, everything that's more than 10 deep is probably BS. Things that
are 5 or less deep are actionable in my experience.

[...]

> It does find trivial things like
> http://c66.it.su.se:8080/obsd/2019-10-25/scan-build-2019-10-25-192004-30128-1/report-36d1ed.html#EndPath

I like to look at dead stores, they are either there for symmetry
reasons or they indicate that something was not quite thought through.

In both cases just removing the dead store and sending a patch is
wrong. In the first case you are destroying the symmetry and you are
just creating noise, and in the 2nd case you didn't put in the effort to
figure out how that whole function could be written better.

I think scan-build can guide someone who has dabbled in C before where
to look.

scan-build guidance is not always well received.

Story time: I once considered using and contributing to a project, so
first step was to run it through scan-build to get a feel for the
structure of the code and have some ideas where the skeletons are
buried or where someone was sloppy. So I carefully analysed the reports
and submitted some patches. They were all happily accepted.

I never mentioned that this came out of scan-build, because it was 99%
my work anyway. So by patch 10 or 11 I write something like, hey,
scan-build pointed me at this other thing, it technically can not happen
because you get lucky all the way over there, but it is a pretty well
aimed foot gun, and this should be written more defensive over
here. Patch attached.

Their (only!) response: Yeah, we are not interested in scan-build
reports.

OK then, good luck to you I guess...

--
In my defence, I have been left unsupervised.


--
Kindest regards,
Tom Smyth.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)