Git's static analysis

Git's static analysis

[Pieter de Bie]

Hi all,

I played around a bit with the 'Clang' static analyser, and tried to run git's
source code through it. It comes up with a few possible errors, so I thought
you might find it interesting. I took a quick glance, and it also seems to
have a few false positives, but it might still be worth to take a look.

The results can be found here:

	http://frim.frim.nl/git-analyse/

- Pieter

Re: Git's static analysis

[Junio C Hamano]

Pieter de Bie <pdebie@ai.rug.nl> writes:

> I played around a bit with the 'Clang' static analyser, and tried to run git's
> source code through it. It comes up with a few possible errors, so I thought
> you might find it interesting. I took a quick glance, and it also seems to
> have a few false positives, but it might still be worth to take a look.
>
> The results can be found here:
>
> 	http://frim.frim.nl/git-analyse/

Hmm, I took a quick look at a few, and they looked nonsense, but perhaps I
am misreading things.

For example:

    http://frim.frim.nl/git-analyse/report-uxXiUR.html#EndPath

I am assuming that we follow the control flow of the labelled comments, so
I followed along from [1] to [7] and then saw these:

    [8] loop condition is false, execution continues on line 1492
    1483:   for (i = 0; i < array->nr; i++) {
                ...
            }

    [9] taking false branch
    1492:   if (array->nr <= i)
                return NULL;

    [10] dereference of null pointer.
    1495:   c->object.flags |= ...

The thing is, if [8] exits, "i < array->nr" is not true anymore, and there
is no way you can take false branch of  "if (array->nr <= i)" in the
immediately next step [9]. and reach point [10].

So it is either that the tool does not know how "for" and "if" statement
works in C language, or I am completely misunderstanding what the in-line
comments are trying to tell me.

Re: Git's static analysis

[Robin Rosenberg]

fredag 06 februari 2009 02:19:15 skrev Junio C Hamano:
> Pieter de Bie <pdebie@ai.rug.nl> writes:
> 
> > I played around a bit with the 'Clang' static analyser, and tried to run git's
> > source code through it. It comes up with a few possible errors, so I thought
> > you might find it interesting. I took a quick glance, and it also seems to
> > have a few false positives, but it might still be worth to take a look.
> >
> > The results can be found here:
> >
> > 	http://frim.frim.nl/git-analyse/
> 
> Hmm, I took a quick look at a few, and they looked nonsense, but perhaps I
> am misreading things.
> 
> For example:
> 
>     http://frim.frim.nl/git-analyse/report-uxXiUR.html#EndPath
> 
> I am assuming that we follow the control flow of the labelled comments, so
> I followed along from [1] to [7] and then saw these:
> 
>     [8] loop condition is false, execution continues on line 1492
>     1483:   for (i = 0; i < array->nr; i++) {
>                 ...
>             }
> 
>     [9] taking false branch
>     1492:   if (array->nr <= i)
>                 return NULL;
> 
>     [10] dereference of null pointer.
>     1495:   c->object.flags |= ...

> 
> The thing is, if [8] exits, "i < array->nr" is not true anymore, and there
> is no way you can take false branch of  "if (array->nr <= i)" in the
> immediately next step [9]. and reach point [10].

The code assumes can c become null in the loop [if (!c) continue]. If that
is the last iteration it comes out of the loop with c == NULL and array->nr >=i,
thus not returning. 

I have to dig through history until may 2008 to find this version of this code  so
the analysis seems a bit obsolete. The loop was rewritten in 4603ec0f960e.

-- robin