Slashdot Mirror
PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel
Andrey_Karpov writes: Svyatoslav Razmyslov from PVS-Studio Team published an article on the check of the FreeBSD kernel. PVS-Studio developers are known for analyzing various projects to show the abilities of their product, and do some advertisement, of course. Perhaps, this is one of the most acceptable and useful ways of promoting a proprietary application. They have already checked more than 200 projects and detected 9355 bugs. At least that's the number of bugs in the error base of their company.
So now it was FreeBSD kernel's turn. The source code was taken from GitHub 'master' branch. Svyatoslav states that PVS-Studio detected more than 1000 suspicious code fragments that are most likely bugs or inaccurate code. He described 40 of them in the article. The list of warnings was given to the FreeBSD developer team and they have already started editing the code.
A couple of words for programmers who are still not familiar with PVS-Studio. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code. You can see a more detailed description of the tool on the company website and download a trial version.
So now it was FreeBSD kernel's turn. The source code was taken from GitHub 'master' branch. Svyatoslav states that PVS-Studio detected more than 1000 suspicious code fragments that are most likely bugs or inaccurate code. He described 40 of them in the article. The list of warnings was given to the FreeBSD developer team and they have already started editing the code.
A couple of words for programmers who are still not familiar with PVS-Studio. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code. You can see a more detailed description of the tool on the company website and download a trial version.
It seems like every time they do this for promotion they just claim everything as a "bug" without really individually investigating and reporting all of them, taking only some obviously wrong ones and then lumping the whole report onto the project's bug tracker, if we're lucky.
PVS Studio is a great application but since they only do team licensing "1-9 developers" I can't see the benefit in buying it, just like IDA Pro. I'm an open source only dev in the C/C++/C# world, all my profitable work is in other languages...
I'd gladly pay a REASONABLE price for all these tools if they'd not only provide proper Linux versions (PVS studio only ever had an internal Linux version...in projects with Linux and Windows specific code it is difficult if not impossible to analyze the Linux parts) but so far since it seems like the real benefit to open source teams who can't afford this software (that is windows only anyway, mostly) is extremely low despite it's utility otherwise.
BitZtream was wrong. A fix has been committed which adds the missing parenthesis.
The very best that can be said about the code snippet is that it is a redundant if statement. The last time someone independently ran a static analyser on something I was working on was the Y2K thing. I sent off one MB of zipped source as requested, a month or so later I got back fifteen MB of zipped reports. It cost the company a small fortune to confirm what we had told them in the first instance - dates were all handled via a handful of functions in a single source file. The entire team of ~50 developers saw the analysis as a complete waste of time and money, the report was longer and more difficult to review than the actual code. The reason it was done is the company executives (and the law) saw it as insurance via due diligence.
Having said that, static analysis can be a very useful tool for improving code quality, if (and only if) you understand the application you are looking at.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
If you want something better, there's Coverity. Free if you qualify. If not, it's even more expensive than PVS-Studio, but does a heck of a lot better job.
FreeBSD has been analyzed by Coverity for years... did it not catch the problems that PVS-Studio found?
This is one of my pet peeves too. It's also something that I really like about Smalltalk: there is no operator precedence, operators are evaluated left to right and if you want something other than left-to-right order, then you must add parentheses. This means that you never spend time in Smalltalk code wondering if the developer got the precedence wrong.
I am TheRaven on Soylent News
You may just say - hey this is me, psychonaut, I've banned viva64 on Wikipedia. Praise me for that. Because of me you won't see links to really helpful material on viva64.
For example, it's really not necessary for those who are interested in Precompiled header to know that there is a super useful article StdAfx.h. Burn it all! :)