Static analysis: Code weaknesses

Static analysis: Code weaknesses

[Jeffrey Karrels]

Hello All,

I am in the starting stages of research into static code analysis of
Xen (as well as correction/remediation). I noticed  a lot of comments
towards code {sonar, surfer}, coverity, splint, etc in the forums, but
most of the activity was back from the 2006-2008 era. Is anyone active
in this area right now? I don't want to duplicate work and even better
it would be nice to get a group together with a specific common
objective. From a licensing perspective I am not sure how it works yet
as I know some of the commercial tools have very strict contracts on
releasing analysis output. With that said though perhaps others are
using commercial tools already and we could be steered to utilize
similar tools in order to collaborate.

Thoughts?

Jeff

Re: Static analysis: Code weaknesses

[Konrad Rzeszutek Wilk]

On Fri, Mar 09, 2012 at 10:10:52AM -0800, Jeffrey Karrels wrote:
> Hello All,
> 
> I am in the starting stages of research into static code analysis of
> Xen (as well as correction/remediation). I noticed  a lot of comments
> towards code {sonar, surfer}, coverity, splint, etc in the forums, but
> most of the activity was back from the 2006-2008 era. Is anyone active
> in this area right now? I don't want to duplicate work and even better
> it would be nice to get a group together with a specific common
> objective. From a licensing perspective I am not sure how it works yet
> as I know some of the commercial tools have very strict contracts on
> releasing analysis output. With that said though perhaps others are
> using commercial tools already and we could be steered to utilize
> similar tools in order to collaborate.

Have you looked at smatch and sparse?
> 
> Thoughts?
> 
> Jeff
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: Static analysis: Code weaknesses

[Dario Faggioli]

[-- Attachment #1.1: Type: text/plain, Size: 594 bytes --]

On Tue, 2012-03-13 at 12:47 -0400, Konrad Rzeszutek Wilk wrote:
> Have you looked at smatch and sparse?
>
And, perhaps, to Coccinelle (http://coccinelle.lip6.fr/)... I've heard
it does great things (together with Smatch) in Linux. :-)

Regards,
Dario

-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-------------------------------------------------------------------
Dario Faggioli, http://retis.sssup.it/people/faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
PhD Candidate, ReTiS Lab, Scuola Superiore Sant'Anna, Pisa (Italy)


[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Static analysis: Code weaknesses

[Jeffrey Karrels]

>> Have you looked at smatch and sparse?
>>
> And, perhaps, to Coccinelle (http://coccinelle.lip6.fr/)... I've heard
> it does great things (together with Smatch) in Linux. :-)

Thanks, I will take a look.

Another question. There was mention of submitting Xen to Coverity a
while back (Pratt 2006). Is there any reason not to submit the source
into that as a project? I would be willing to be the point of contact,
but am I stepping on anyone's toes if I submit it for scanning?

Thanks
Jeff

Re: Static analysis: Code weaknesses

[Konrad Rzeszutek Wilk]

On Wed, Mar 14, 2012 at 11:01:08AM -0700, Jeffrey Karrels wrote:
> >> Have you looked at smatch and sparse?
> >>
> > And, perhaps, to Coccinelle (http://coccinelle.lip6.fr/)... I've heard
> > it does great things (together with Smatch) in Linux. :-)
> 
> Thanks, I will take a look.
> 
> Another question. There was mention of submitting Xen to Coverity a
> while back (Pratt 2006). Is there any reason not to submit the source

I am not sure what is involved in it? Is it free? If you are up for
doing it you are more than welcome to do it.

> into that as a project? I would be willing to be the point of contact,
> but am I stepping on anyone's toes if I submit it for scanning?
> 
> Thanks
> Jeff
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: Static analysis: Code weaknesses

[Jeffrey Karrels]

> I am not sure what is involved in it? Is it free? If you are up for
> doing it you are more than welcome to do it.

I will check it out. It is free, but I am not sure how much
functionality one gets. We will see.
http://scan.coverity.com/developers-faq.html

Re: Static analysis: Code weaknesses

[Jeffrey Karrels]

> I will check it out. It is free, but I am not sure how much
> functionality one gets. We will see.
> http://scan.coverity.com/developers-faq.html

To keep track of this topic, the coverity scanner project will not
accept the GPLv2 license for acceptance to the project because of
Xen's association with Citrix.  I will continue to work on our
licensed analyzers and post patches back into the community, it is
just a little harder to collaborate...

"As you may well have read in our Developer FAQ, license is only one of the
criteria that determines eligibility, and the association between Xen and
Citrix is close enough that I think Xen doesn't qualify."

Re: Static analysis: Code weaknesses

[Konrad Rzeszutek Wilk]

On Fri, Mar 16, 2012 at 08:44:16AM -0700, Jeffrey Karrels wrote:
> > I will check it out. It is free, but I am not sure how much
> > functionality one gets. We will see.
> > http://scan.coverity.com/developers-faq.html
> 
> To keep track of this topic, the coverity scanner project will not
> accept the GPLv2 license for acceptance to the project because of
> Xen's association with Citrix.  I will continue to work on our
> licensed analyzers and post patches back into the community, it is
> just a little harder to collaborate...
> 
> "As you may well have read in our Developer FAQ, license is only one of the
> criteria that determines eligibility, and the association between Xen and
> Citrix is close enough that I think Xen doesn't qualify."

Huh? That really does not compute - as there are developers who are not
Citrix employeed - and the sources/trees, etc are all on xenbits.org which
is a non-prof organization I think? CC-ing Lars here as he might know better.

> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: Static analysis: Code weaknesses

[Jeffrey Karrels]

> Huh? That really does not compute

Agreed.

Re: Static analysis: Code weaknesses

[Jeffrey Karrels]

> Huh? That really does not compute - as there are developers who are not
> Citrix employeed - and the sources/trees, etc are all on xenbits.org which
> is a non-prof organization I think? CC-ing Lars here as he might know better.

Lars, sorry to revive an ancient thread. Do you have any idea why
Coverity would not accept Xen into its opensource program?