C is Brittle D is Plastic
Richard (Rikki) Andrew Cattermole
richard at cattermole.co.nz
Wed Apr 8 20:48:39 UTC 2026
On 09/04/2026 8:01 AM, Walter Bright wrote:
> BTW, if the dedicated static analyzers work, why does AI keep finding
> security bugs in Linux code and everything else? Most recently an array
> buffer overflow that had been in the kernel for 20 years.
Hardly anyone is using dedicated static analyzers, let alone paying for
one that is price upon request.
The most people do is use the static analyzer that comes with their
compiler, which quite frankly is a toy in comparison.
The linux kernel is an outlier, as they've been using dedicated static
analyzers for well over 20 years. I've covered this well over a year ago
now at a monthly meeting. On top of this, there are multiple dedicated
efforts to apply static analyzers to the kernel which has found and
gotten problems fixed.
Quite frankly when was the last time you ran into a BSOD regularly? A
good 20 years ago right? Hint, this is why. Everyone uses some kind of
static analyzers for kernels which has improved reliability significantly.
https://lwn.net/Articles/412750/
https://repo.or.cz/w/smatch.git
https://linuxtesting.org/results/ldv
I've mentioned this one in the past, it was originally written by Linus:
https://sparse.docs.kernel.org/en/latest/
So to answer your question:
1. They are not being used.
2. They are not using the best analyzer(s) as they cost significant money.
3. Not all bugs being found are being fixed (sigh).
The reason I keep referencing Astrée is because its at the maximum of
what we as a species can do, it can analyze multi-threading and prevent
dead locks. Whereas others like ikos which is free is for single
threaded applications only.
Given how prevalent software is now in aerospace, the fact that planes
aren't falling out of the sky on a regular basis is pretty incredible.
No amount of hardware can make up for how invasive it is.
More information about the Digitalmars-d
mailing list