A Few Billion Lines of Code
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
Amazing read - not just for the WTF list you reproduced. For a giant-project-maintainer it's a already a pleasure to not read about rubyrailing MVVPXML-controlinversed tenliners. Reading about projects larger than "mine" is certainly not to be missed.
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
I wonder what it does with something like:
short* c = argv [ 1 ] + 1 ;
switch ( *c )
{
case 'an' : printf ( "January" ) ; break ;
case 'eb' : printf ( "February" ) ; break ;
case 'ar' : printf ( "March" ) ; break ;
case 'pr' : printf ( "April" ) ; break ;
case 'ay' : printf ( "May" ) ; break ;
case 'un' : printf ( "June" ) ; break ;
case 'ul' : printf ( "July" ) ; break ;
case 'ug' : printf ( "August" ) ; break ;
case 'ep' : printf ( "September" ) ; break ;
case 'ct' : printf ( "October" ) ; break ;
case 'ov' : printf ( "November" ) ; break ;
case 'ec' : printf ( "December" ) ; break ;
}You can stuff two characters in a
charliteral. :-D On my first job out of college I did that for parsing some reports. (VMS-style dates 19-Jan-2011 X| .) -
We use coverty, interestingly they licence it on a number of lines of code basis which makes it rather expensive for large code bases
If it's C-like language, remove all the carriage-returns before passing your code in.
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
Little pearls of wisdom eh? Billion lines of code I would imagine there is a bunch more. Good one thanks for sharing.
I like long walks, especially when they are taken by people who annoy me. http://www.hq4thmarinescomm.com[^]
My Site -
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
We are using cppcheck(http://sourceforge.net/projects/cppcheck/), its open-source and IMHO even better and more accurate than coverity!
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
Hans Dietrich wrote:
"No, that's a false positive; a loop executes at least once."
I like that one. In some languages, they have "DO UNTIL..." where that is absolutely true and in one sense it's true here as well, as long as this code is reached, it'll execute once. It will execute i = 1 and it will evaluate i < 0. Of course, the developer here probably mixed up his languages and really thought the body of the loop was executed once. I have to admit I wasn't sure if this loop was a do until or do while loop until I tested it to find out. Maybe I read that, but taking the effort to do a test is more memorable for me than reading it in a book.
-
The folks at Coverity (www.coverity.com wrote up their commercial static analysis tool in the CACM (A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World). Very interesting and enjoyable read. They describe in detail the pitfalls in building such a tool, and give examples of some sales situations they encountered. These include:
User: "How do I run your tool?"
Coverity: "Oh, it's easy. Just type 'cov-build' before your build command."
User: "Build command? I just push this [GUI] button..."
Upon seeing an error report saying the following loop body was dead code
for(i = 1; i < 0; i++) ...dead code...Programmer: "No, that's a false positive; a loop executes at least once."
For this memory corruption error (32-bit machine)
int a\[2\], b; memset(a, 0, 12);Programmer: "No, I meant to do that; they are next to each other."
For this use-after-free
free(foo); foo->bar = ...;Programmer: "No, that's OK; there is no malloc call between the free and use."
And my personal favorite:
A buffer overflow checker flagged a bunch of errors of the form
unsigned p\[4\]; p\[4\] = 1;Programmer: "No, ANSI lets you write 1 past the end of the array."
See more discussion at Lambda the Ultimate.
Best wishes, Hans
The Coverity folks are outrageously expensive. Some yahoo 3-4 steps up in the food chain wanted to have them analyze our source code, which covers five products ranging from 800K to 1.7M lines. Rumor has it their quote was for over $100,000.
Software Zen:
delete this;
Fold With Us![^] -
The Coverity folks are outrageously expensive. Some yahoo 3-4 steps up in the food chain wanted to have them analyze our source code, which covers five products ranging from 800K to 1.7M lines. Rumor has it their quote was for over $100,000.
Software Zen:
delete this;
Fold With Us![^]That doesn't surprise. Any web site that doesn't list prices is going to be astronomical; that's a given. Have you looked at any other static analysis tools?
Best wishes, Hans
