Slashdot Mirror
PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel
Andrey_Karpov writes: Svyatoslav Razmyslov from PVS-Studio Team published an article on the check of the FreeBSD kernel. PVS-Studio developers are known for analyzing various projects to show the abilities of their product, and do some advertisement, of course. Perhaps, this is one of the most acceptable and useful ways of promoting a proprietary application. They have already checked more than 200 projects and detected 9355 bugs. At least that's the number of bugs in the error base of their company.
So now it was FreeBSD kernel's turn. The source code was taken from GitHub 'master' branch. Svyatoslav states that PVS-Studio detected more than 1000 suspicious code fragments that are most likely bugs or inaccurate code. He described 40 of them in the article. The list of warnings was given to the FreeBSD developer team and they have already started editing the code.
A couple of words for programmers who are still not familiar with PVS-Studio. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code. You can see a more detailed description of the tool on the company website and download a trial version.
So now it was FreeBSD kernel's turn. The source code was taken from GitHub 'master' branch. Svyatoslav states that PVS-Studio detected more than 1000 suspicious code fragments that are most likely bugs or inaccurate code. He described 40 of them in the article. The list of warnings was given to the FreeBSD developer team and they have already started editing the code.
A couple of words for programmers who are still not familiar with PVS-Studio. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code. You can see a more detailed description of the tool on the company website and download a trial version.
Depending on the software you write, and what you use it for ... $5k for a development tool isn't that crazy stupid.
Agreed, it's not crazy stupid at all. In fact, I think it's pretty reasonable when you think about it.
For comparison, I remember when JBuilder (the Java IDE) cost at least that much money _per seat_. And that was a long time ago.
And on the advertising topic, this kind of advertising doesn't bother me at all. It's proving the product, factual, and relevant. What more can you ask for?
The submitter, Andrey Karpov, is one of the developers of PVS-Studio. The article he's plugging was written by yet another PVS-Studio developer. I wouldn't be in the least surprised if this got voted to the front page by an army of PVS-Studio sockpuppets. They've been doing the same thing on Wikipedia for years (though their site was long ago put on a Wikimedia-wide spam blacklist), and also post similar spamvertisements, masquerading as "bug reports", to the issue trackers of prominent free software projects such as Mozilla.
Coverity, along with most static analysers, has problems with false positives. I spent an afternoon wading through the coverity reports in my own code in FreeBSD libc. I found one possible bug (I think that the code was unreachable, but I may have missed something in one of the callers), all of the rest were false positives. Some were trivial to discount - they were simple artefacts of the fact that Coverity works one compilation unit at a time and a cursory glance at the other compilation unit showed that it was not a problem. The others required a bit more digging. In particular, Coverity seemed to be really confused by some reference counting functions.
I've only had time to glance over the PVS results, but they seemed to be more useful.
I am TheRaven on Soylent News