What does Coverity/clang static analysis actually do?

[Lutger]

Walter Bright wrote:

> Nick Sabalausky wrote:
>> "Walter Bright" <newshound1 at digitalmars.com> wrote in message
>>> 2. possible dereference of NULL pointers (some reaching definitions of a
>>> pointer are NULL)
>>> 2. Optimizer collects the info, but ignores this, because people are
>>> annoyed by false positives.
>>>
>> 
>> If you mean something like this:
>> 
>> Foo f;
>> if(cond)
>>     f = new Foo();
>> f.bar();
>> 
>> Then I *want* the compiler to tell me. C# does this and I've never been
>> annoyed by it, in fact I've always appreciated it. I'm not aware of any
>> other C# user that has a problem with that either. If that's not what you
>> mean though, then could you elaborate?
> 
> The problem crops up when there are two connected variables:
> 
>    void foo(bool flag)
>    {
>      char* p = null;
>      if (flag)
> p = "hello";
>      ...
>      if (flag)
> bar(*p);
>    }
> 
> The code is logically correct, there is no null pointer dereference
> possible. However, the data flow analysis will see the *p and see two
> reaching definitions for p: null and "hello", even though only one
> actually reaches.
> 
> Hence the false positive. To eliminate the false error report, the user
> would have to insert a redundant null check.
> 
> Does this happen in practice? Yes.

How hard is this to implement? I ask this because I would suggest to try it 
out and see how much it catches vs. how annoying it is. In VB.NET I have 
quite some false positives, but in C# less. It's all about how it fits with 
the rest of the language. VB.NET doesn't have a ternary operator for 
example. In D you have less need for pointers and generally a much more 
expressive vocabulary at your disposal than other C family languages.