After the appearance of the translated article about Static Analysis in GCC 10 , and the expected reaction of the representatives of the developer of the commercial static analyzer PVS-Studio who are here, I asked: βWhy do the representatives refuse to test their product with such simple examples for static analysis, and don't they hide what are they? "Andrey2008Yes, it is not interesting to me. Caught / did not catch a synthetic error, this does not say anything about the capabilities of the analyzer
Should they somehow run the unit tests of their product and how, if not with such synthetic simple examples ?!Actually, I had to do it myself.Test number 1. The simplest example of a double-free error
Diagnosed with:V586 The 'free' function is called twice for deallocation of the same memory space. Inspect the first argument. Check lines: 5, 6. 1_dbl_free.c 6PassedTest number 2. longjmp () by free ()
Incomprehensible swearing at a constant in malloc, but an error was detected - inaccessible code and unused memory:V118 malloc () function accepts a dangerous expression in the capacity of an argument. 2_longjump.c 13V779 Unreachable code detected. It is possible that an error is present. 2_longjump.c 15V799 The 'ptr' variable is not used after memory has been allocated for it. Consider checking the use of this variable. 2_longjump.c 13PassedTest number 3. Malloc () leaks and fopen () unclosed files
Found:V118 malloc () function accepts a dangerous expression in the capacity of an argument. 3_fopen.c 7V773 Visibility scope of the 'f' file handle was exited without closing the file. A resource leak is possible. 3_fopen.c 9V773 Visibility scope of the 'p' pointer was exited without releasing the memory. A memory leak is possible. 3_fopen.c 9V799 The 'p' variable is not used after memory has been allocated for it. Consider checking the use of this variable. 3_fopen.c 7PassedTest number 4. Monitoring memory usage after freeing it
Bug Detected:V774 The 'n' pointer was used after the memory was released. 4_use_after_free.c 9V591 Non-void function should return a value. 4_use_after_free.c 11PassedTest number 5. Non-heap pointer release control (heap)
Non-error warnings were issued:V104 Implicit conversion of 'n' to memsize type in an arithmetic expression: sizeof (int) * n 5_free_nonheap.c 11V799 The 'ptr' variable is not used after memory has been allocated for it. Consider checking the use of this variable. 5_free_nonheap.c 11FailedTest number 6. Invalid call inside signal () handler
FailedAlthough this is such a specific diagnosis that I would not reproach it.Next, I went through the list of diagnostics in GCC 10 and added examples, so further tests with source codes.Test number 7. Double closing a file and releasing a closed FILE *
PVS did not detect these errorsGCC 10 detected double-fclose but did not detect free for a closed handle.#include <stdlib.h>
void closefile(FILE* f) {
fclose(f);
}
void test(const char *filename) {
FILE *f = fopen(filename, "r");
void *p = malloc(1024);
closefile(f);
fclose(f);
free (p);
free(f);
}
FailedTest number 8. longjmp () on an obsolete stack
PVS did not notice anything, GCC10 worked correctly#include <setjmp.h>
#include <stdlib.h>
static jmp_buf env;
static int i;
static void inner(void) {
longjmp(env, 1);
}
static void middle(void) {
inner();
}
void outer(void) {
i = setjmp(env);
}
void outer_x2(void) {
outer();
if (i == 0)
middle();
}
FailedTest number 9. Return pointer to stack variable
Failed by both participants, although in simple cases, GCC detects this, but this is not the -fanalyzer function (or it may not be implemented yet).#include<stdlib.h>
struct str1 {
char buf[10];
};
struct str1 * ret(int sel)
{
struct str1 var1, *pval;
if(sel == 1)
pval = &var1;
else if(sel != 1)
pval = (struct str1 *)malloc(1000);
return pval;
}
FailedTest number 10. Tainted-array-index and use-of-uninitialized-value diagnostics
It looks like they are not working in the GCC10- fanalyzer yet .PVS catches this, as has been demonstrated many times.PassedConclusion
There is definitely a static analysis in PVS-Studio.Although not without some drawbacks, it is worth using it, especially since many human errors will be detected, not only from the field of static analysis.