Smatch v1.56 released

Smatch v1.56 released

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

It's been almost two years since the last Smatch release so probably
it's time for another one.

Smatch is a static analysis tool for C which has a lot of kernel
specific checks.

To run Smatch over the entire kernel use:
	smatch_scripts/test_kernel.sh

To run Smatch over just one .c file, start at the base of the kernel
tree and use:
	smatch_scripts/kchecker path/to/file.c

The main new thing, is the new cross function database work.  You
build a database on the first run and then use the information on
the second run.  The script for to build the database is:
	smatch_scripts/build_kernel_data.sh

Smatch still produces a lot of false positives.  Also as bugs get
fixed in the kernel, the false positive to real bug ratio gets
worse and worse.  But it does find real bugs as well.

There is a mailing list smatch@vger.kernel.org.

regards,
dan carpenter

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Smatch v1.56 released

[Joe Perches]

On Sun, 2012-03-04 at 21:04 +0300, Dan Carpenter wrote:
> Smatch still produces a lot of false positives.  Also as bugs get
> fixed in the kernel, the false positive to real bug ratio gets
> worse and worse.  But it does find real bugs as well.

Perhaps a database of known false positives and a mechanism
to use it to see only new instances could be created.

Re: Smatch v1.56 released

[Jiri Slaby]

On 03/04/2012 07:38 PM, Joe Perches wrote:
> On Sun, 2012-03-04 at 21:04 +0300, Dan Carpenter wrote:
>> Smatch still produces a lot of false positives.  Also as bugs get
>> fixed in the kernel, the false positive to real bug ratio gets
>> worse and worse.  But it does find real bugs as well.
> 
> Perhaps a database of known false positives and a mechanism
> to use it to see only new instances could be created.

Yes, this is actually what xgcc has been doing. See [1] to see how to do
it more-or-less reliably.

[1] A system and language for building system-specific, static analyses,
Hallem, S. and Chelf, B. and Xie, Y. and Engler, D.

regards,
-- 
js

Re: Smatch v1.56 released

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

On Sun, Mar 04, 2012 at 10:38:50AM -0800, Joe Perches wrote:
> On Sun, 2012-03-04 at 21:04 +0300, Dan Carpenter wrote:
> > Smatch still produces a lot of false positives.  Also as bugs get
> > fixed in the kernel, the false positive to real bug ratio gets
> > worse and worse.  But it does find real bugs as well.
> 
> Perhaps a database of known false positives and a mechanism
> to use it to see only new instances could be created.

What I do is only look at new bugs.  I've got a script
	smatch_scripts/new_bugs.sh
That takes the output from two smatch runs and prints the bugs which
are new.

Artem has a set of scripts he's working on as well.

regards,
dan carpenter


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Smatch v1.56 released

[Artem Bityutskiy]

On Mon, 2012-03-05 at 10:22 +0300, Dan Carpenter wrote:
> What I do is only look at new bugs.  I've got a script
> 	smatch_scripts/new_bugs.sh
> That takes the output from two smatch runs and prints the bugs which
> are new.
> 
> Artem has a set of scripts he's working on as well.

Yeah, I basically compile with W=1, run
sparse/coccinelle/cppcheck/smatch before and after a patch, compare the
build logs and report about only new warnings. Quite useful when you are
a maintainer.

-- 
Best Regards,
Artem Bityutskiy