Adding Flawfinder to Patchwatcher
juan.lang at gmail.com
Sun Sep 7 22:16:47 CDT 2008
> AFAIK "splint" is one of the most popular OSS static analysis tools, but I've
> never really used it. Has anyone here used it? On the flawfinder homepage, it
> says that splint does deeper analysis than flawfinder. It says it "...works
> somewhat like lint, searching for probable errors; to really use it, developers
> need to add additional annotations to help the tool identify problems. This is a
> very mature program, widely used, and one you can start using right away on
> 'real programs'."
splint is merely one of the first, but hardly one of the most popular.
It requires far too much code annotation to be useful. There are
other more recent static analysis tools (cqual, or more recently oink,
come to mind) that could be used, but they're not that useful "out of
the box." Rules for common things would need to be written before the
tools would be useful.
The analysis Coverity did was pretty high quality in comparison to
other tools I've tried. The trouble with Coverity's scans was lack of
developer time to analyze the results, I think. Even a relatively
good tool has false positives, and it takes time sort out the real
bugs from the noise.
Also, smatch is based on the same paper (the Stanford checker,
metacomp) that Coverity's tool started as. At least Michael Stefaniuc
uses it to some success around here, and it could be extended to cover
More information about the wine-devel