Open main menu

OpenVZ Virtuozzo Containers Wiki β

Static code analysis

Revision as of 13:26, 15 May 2015 by Sergey Bronnikov (talk | contribs) (update hostname for repo)

Static analysis is a technique for finding bugs just by looking at source code without actually running it. That's great, because it can find bugs that are really hard to trigger.

Contents

Tools used to static analysis of OpenVZ components

There are a number of tools which analyze C code and try to detect typical errors. None of these tools is perfect, so using different tools with OpenVZ components will detect more bugs. Be prepared to also get lots of false warnings!

cppcheck

Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives).

Some OpenVZ bugs were found using cppcheck: #1309, #1308, #1307, #1306.


Coverity

  • vzquota was submitted as project to Coverity services. There are no known bugs found by Coverity in vzquota though.
  • source code of vzctl was submitted to Coverity too. There are amount of issues were found and fixed with their help: b2f9c254447,

138b341a23a, 337f712eac4, dfd699a3a52, 767289a2eb0, 1b01bb34a9e, eebe2c1201a, 09f30856fb4, 54cbc8ae07a and many others.

8d11952f6bc4, 5e82fba10ed4, 1e919423a845, 1e0e83701f44


Clang

  • source code of CRIU was checked clang static analyzer:

3ea2fd78ebe21, e2a0be63d4b8e, a6c5953a80d24, f54f9f0efa8cd, f238d56661dae, fcfd705d39b10, 6ce8d8ab9309f


Static analysis tools