Difference between revisions of "Static code analysis"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(mention testing criu by coverity)
Line 31: Line 31:
 
[https://stash.openvz.org/projects/OVZL/repos/vzctl/commits/54cbc8ae07afa6610308a38511ee1940afbc9623 54cbc8ae07a]
 
[https://stash.openvz.org/projects/OVZL/repos/vzctl/commits/54cbc8ae07afa6610308a38511ee1940afbc9623 54cbc8ae07a]
 
and many others.  
 
and many others.  
 +
 +
* [http://criu.org/Main_Page CRIU] was checked by Coverity too. We have found number of bugs with it: [https://github.com/xemul/criu/commit/08cdae901b566092370f03c23de83f544373e45b 08cdae901b56], [https://github.com/xemul/criu/commit/2b8f61393e0b99e36e292880f6b8da66317176a1 2b8f61393e0b], [https://github.com/xemul/criu/commit/4f9e509c1597d1782e953dc7a83acc4454b2b7ef 4f9e509c1597],
 +
[https://github.com/xemul/criu/commit/8d11952f6bc43cdd0a60d4cd8d62d180d4d50877 8d11952f6bc4],
 +
[https://github.com/xemul/criu/commit/5e82fba10ed4955385cf3183395a96d7f1121d24 5e82fba10ed4],
 +
[https://github.com/xemul/criu/commit/1e919423a845a16f41dc298bf11e20a3b29af4cf 1e919423a845],
 +
[https://github.com/xemul/criu/commit/1e0e83701f441852cccae40c97135884aff942b4 1e0e83701f44]
 +
 +
 +
=== clang ===
 +
 +
* source code of [http://criu.org/Main_Page CRIU] was checked clang static analyzer.
  
  

Revision as of 13:20, 15 May 2015

Static analysis is a technique for finding bugs just by looking at source code without actually running it. That's great, because it can find bugs that are really hard to trigger.

Tools used to static analysis of OpenVZ components

There are a number of tools which analyze C code and try to detect typical errors. None of these tools is perfect, so using different tools with OpenVZ components will detect more bugs. Be prepared to also get lots of false warnings!

cppcheck

Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives).

Some OpenVZ bugs were found using cppcheck: #1309, #1308, #1307, #1306.


Coverity

  • vzquota was submitted as project to Coverity services. There are no known bugs found by Coverity in vzquota though.
  • source code of vzctl was submitted to Coverity too. There are amount of issues were found and fixed with their help: b2f9c254447,

138b341a23a, 337f712eac4, dfd699a3a52, 767289a2eb0, 1b01bb34a9e, eebe2c1201a, 09f30856fb4, 54cbc8ae07a and many others.

8d11952f6bc4, 5e82fba10ed4, 1e919423a845, 1e0e83701f44


clang

  • source code of CRIU was checked clang static analyzer.


Static analysis tools