I have never found static analysis much of a gain.  Way too many
incorrect reports.  Sometimes gives clues but then so does reading the
code.

Andres posted an analysis from google some time back, and it was very
unhelpful.  Looked good until one looked at the code

==John ffitch

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Csound-devel mailing list
Csound-devel@lists.sourceforge.net

Hi,

That one was done using clang.

Cheers,
Andrés

On Mon, May 7, 2012 at 5:10 PM, john ffitch  wrote:
> I have never found static analysis much of a gain.  Way too many
> incorrect reports.  Sometimes gives clues but then so does reading the
> code.
>
> Andres posted an analysis from google some time back, and it was very
> unhelpful.  Looked good until one looked at the code
>
> ==John ffitch
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Csound-devel mailing list
> Csound-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/csound-devel

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Csound-devel mailing list
Csound-devel@lists.sourceforge.net
https://lists.sourceforge.

john ffitch wrote:

> I have never found static analysis much of a gain.  Way too many
> incorrect reports.

John, I respctfully disagree.

The quality of the output of a static analysis report is highky dependant
on the quality (or probably more correctly the kind) of code that goes in.

Obviously for legacy code like CSound these tools throw up huge numbers of
spurious warnings, often about C idioms and techniques that were common
20 years ago but which have fallen out of favour.. However, for modern
code that was developed with modern compilers (and with all the compiler's
warning flags enabled and all warnings fixed) there are far fewer static
analysis warnings. I am also 100% certain that it is possible to write a
large complicated piece of software in C or C++, that is compiler warning
free and static analysis warning free. I'm also sure this code will still
have bugs, but it will have fewer bugs than the same code developed without
compiler warnings and static analysis.

The Haskell people have an interesting view on this. They say that in
order for the compiler to reject more incorrect programs it has to reject
some programs that are correct, but for which it can't prove they are
correct.

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Csound-devel mailing list
Csound-devel@lists.sourceforge.net