What does Coverity/clang static analysis actually do?
Rainer Deyke
rainerd at eldwood.com
Sat Oct 3 16:11:22 PDT 2009
There is a simple and elegant solution to the problem of false positives
in static analysis. Simple provide a way for the programmer to say, "I
know this looks dangerous, but I know what I'm doing, so trust me on
this." This could be done by adding some new syntax, either a new
keyword or a reused old keyword, or by changing the semantics of void
initialization.
For example, this would be an error:
T t;
if (i < 10) {
t = new T;
}
if (i < 10) {
t.f();
}
This would be legal:
T t = unchecked;
if (i < 10) {
t = new T;
}
if (i < 10) {
t.f();
}
But this would be an error:
T t = unchecked;
t.f();
As would this:
T t = unchecked;
f(t);
'unchecked' has the following properties:
- It is an error to use the value of a variable that is initialized as
'unchecked'.
- 'unchecked' tells the static analysis that the programmer knows what
he's doing. The static analysis should therefore be liberal rather than
conservative.
- At runtime, 'unchecked' is equivalent to 'null' for non-nullable
reference types. This increases the chance that the error will be
detected at runtime.
On the other hand, variables without any explicit initializer at all
will have the following properties:
- It is an error to use the value of the variable.
- The static analysis is conservative by default. If it thinks the
variable could be used uninitialized, an error is reported.
- Since the static analysis guarantees that the variable will not be
used uninitialized, there is no need to initialize the variable at runtime.
--
Rainer Deyke - rainerd at eldwood.com
More information about the Digitalmars-d
mailing list