Lints, Condate and bugs
Walter Bright
newshound2 at digitalmars.com
Tue Oct 26 14:21:43 PDT 2010
bearophile wrote:
> From my experience I've seen that lint tools are very useful to quickly find
> many bugs, on the other hand most of my friends don't use them. This is a
> problem I've felt for some time. Recently I have found an interesting paper
> that expresses my feelings better:
>
> "Condate: A Proto-language at the Confluence Between Checking and Compiling"
> by Nic Volanschi http://mygcc.free.fr/condate-ppdp06.pdf
I've been interested in rule based static checkers for years. I'd hoped to be
able to obsolete them by designing the need for such checks out of the language.
There's no need to check for an error that cannot be expressed.
Looking at what the rule based analyzers do falls into predictable categories:
1. Memory allocation errors - failure to free, dangling pointers, redundant frees
2. Use of uninitialized data
3. Related to (1), failure to clean up properly after allocating some resource
4. Memory corruption, such as buffer overflows
5. Failure to do transaction cleanup properly in the event part of the
transaction failed
6. Failure to deal with error returns
7. Null pointer dereferencing
8. Signed/unsigned mismatching
Keep in mind that such tools can also produce large quantities of false
positives, requiring ugly workarounds or causing the programmer to miss the real
bugs. Keep in mind also that these tools are often way oversold - they catch a
few kinds of bugs, but not logic errors. Over time, I've found my own coding
bugs that such tools might catch get less and less rare. The bugs in my code are
logic errors that no tool could catch.
Here's how D deals with them:
1. Garbage collection.
2. Data is guaranteed to be initialized.
3. RAII does this.
4. Array bounds checking, and safe mode in general, solves this.
5. D's scope guard does a very good job with this
6. Exceptions solve this
7. Certainly the idea of non-null types has a lot of adherents, D doesn't have that.
8. The only successful solution to this I've seen is Java's simply not having
unsigned types. Analysis tools just produce false positives.
I don't think there's much value left for add-on static analysis tools.
More information about the Digitalmars-d
mailing list