StaticAnalysis

Static Analysis

Static analysis is a technique for finding bugs just by looking at source code without actually running it. That's great, because it can find bugs that are really hard to trigger.

Coverity

Coverity is a commercial static analysis service that runs continuous scans of many open source apps, including Wine. A summary of results is online at http://scan.coverity.com/rung1.html; it shows Wine has 0.2 defects per thousand lines of code, which compares favorably with other projects.

To see the detailed results, see http://scan.coverity.com/devfaq.html which says "Locate your project on the Full List of the Scan ladder, and click the Log In link. Account requests must be approved by the project's official contacts." Our official contacts are Paul Vriens and Jan Zerebecki. Contact them or scan-admin at coverity for access.

When posting patches to fix bugs found by Coverity, please include "Coverity" in the subject line.

Here are two ways to look for Coverity-related Wine patches:

PVS-Studio

PVS-Studio is a static analysis tool that integrates into Visual Studio. See http://www.viva64.com/en/a/0076/ for a report of errors analyzing ReactOS code with PVS-Studio. According to http://www.winehq.org/pipermail/wine-devel/2011-December/093599.html, many but not all of the warnings it raised have already been fixed in Wine.

Old Smatch

Smatch is an open source static analysis tool. The old and obsolete version is based on a hacked gcc-3.1.1 with some perl modules and scripts. But it is still useful for Wine and "low cost" to run.

When posting patches to fix bugs found by Smatch, please include "Smatch" in the subject line.

Michael Stefaniuc says that one of these days he's going to stop using the old Smatch and switch to Coccinelle [IRC 15 Jan 2010]. It is way easier to prototype new ideas in Coccinelle.

Here are three ways to look for Smatch-related Wine patches:

Smatch

Smatch is an open source static analysis tool. The new Smatch is based on sparse, the checker used by the Linux Kernel.

Smatch has some built in Wine checks.

Coccinelle

Coccinelle is yet another open source static analysis tool.

Students at Aalborg University say they found a number of bugs with it in 2008. Paul Vriens and Michael Stefaniuc are using it since 2009.

When posting patches to fix bugs found by Coccinelle, please include "Coccinelle" in the subject line.

Here are two ways to look for Coccinelle-related Wine patches:

Clang Static Analyzer

Clang (the C-language front end to the LLVM compiler) includes a new static analysis tool currently named the Clang Static Analyzer.

Download checker-report for a checker report on Wine, or browse it online.

Henri Verbeet has started submitting patches to fix these warnings; the first is http://winehq.org/pipermail/wine-patches/2008-October/062650.html

When posting patches to fix bugs found by Clang, please include "LLVM/Clang" in the subject line.

Here are two ways to look for Clang-related Wine patches:

See also: the Clang page in this Wiki.

Saturn

Saturn is the second static analysis tool out of Stanford (the first was MC aka the Stanford Checker, which became Coverity). Their tool can be downloaded for free, and there is a mailing list for discussing it.

The first patch from somebody using Saturn was posted on 26 Jan 2009.

When posting patches to fix bugs found by Saturn, please include "(Saturn)" in the subject line.

Here are two ways to look for Saturn-related Wine patches:

Flawfinder

Students at Aalborg University say they found a number of bugs using Coccinelle and Flawfinder.

There was a discussion about adding Flawfinder to PatchWatcher (which went a bit off-topic due to mailman sending out duplicate messages), but there were too many false positives for it to be much use.

sixgill.org

sixgill is a new static code analysis tool that has not yet been used in Wine. Mozilla's static analysis team makes use of it and recommends it in this video.

CategoryQualityAssurance

StaticAnalysis (last edited 2012-01-01 15:24:19 by DanKegel)