Static analysis at Mozilla

[Sean Kelly]

bearophile Wrote:

> C++ Static Analysis as done on the large Mozilla codebase:
> http://blog.ezyang.com/2010/06/static-analysis-mozilla/
> It shows that it's important to have a more powerful static reflection in D. It works well with scoped user-defined attributes too.

As much as I like static analysis, it still has a long way to go.  For example, here's some C code that a static analysis tool recently flagged as broken:

    size_t fn( char** pdst, char* src, size_t srclen ) {
        __thread static char* dst      = NULL;
        __thread static size_t dstcap = 0;
        if( dstcap < srclen ) {
            dstcap = srclen;
            dst      = realloc( dst, dstcap );
        }
        memcpy( dst, src, srclen ); // Purify: ERROR - uninitialized write
        *pdst = dst;
        return srclen;
    }

Basically, it wasn't smart enough to realize that dst would always be non-NULL when the memcpy occurred, let alone that it would also always be large enough.  For such false positives, it's generally necessary to insert pointless code simply to silence the error, thus complicating the function and increasing the cost of maintenance.  I still believe that the benefits of static analysis vastly outweigh the cost, but I'd love to see more intelligence in branch analysis if nothing else.