[[!meta copyright="Copyright © 2010, 2011 Free Software Foundation, Inc."]] [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable id="license" text="Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled [[GNU Free Documentation License|/fdl]]."]]"""]] In the topic of *code analysis* or *program analysis* ([[!wikipedia Program_analysis_(computer_science) desc="Wikipedia article"]]), there is static code analysis ([[!wikipedia Static_code_analysis desc="Wikipedia article"]]) and dynamic program analysis ([[!wikipedia Dynamic_program_analysis desc="Wikipedia article"]]). This topic overlaps with [[performance analysis|performance]], [[formal_verification]], as well as general [[debugging]]. [[!toc]] # Bounty There is a [[!FF_project 276]][[!tag bounty]] on some of these tasks. # Static * [[GCC]]'s warnings. Yes, really. * GCC plugins can be used for additional semantic analysis. For example, , and search for *kernel context* in the comments. * Have GCC make use of [[RPC]]/[[microkernel/mach/MIG]] *in*/*out* specifiers, and have it emit useful warnings in case these are pointing to uninitialized data (for *in* only). * [Static Source Code Analysis Tools for C](http://spinroot.com/static/) * [[!wikipedia List_of_tools_for_static_code_analysis]] * [Cppcheck](http://sourceforge.net/apps/mediawiki/cppcheck/) For example, [Debian's hurd_20110319-2 package](http://qa.debian.org/daca/cppcheck/sid/hurd_20110319-2.html) (Samuel Thibault, 2011-08-05: *I had a look at those, some are spurious; the realloc issues are for real*). * Coccinelle * * * clang * * Linux' sparse * * * * [Smatch](http://smatch.sourceforge.net/) * [Parfait](http://labs.oracle.com/projects/parfait/) * * [Saturn](http://saturn.stanford.edu/) * [Flawfinder](http://www.dwheeler.com/flawfinder/) * [sixgill](http://sixgill.org/) * [Coverity](http://www.coverity.com/) (nonfree?) # Dynamic * [[community/gsoc/project_ideas/Valgrind]] * * * * * IRC, freenode, #glibc, 2011-09-28 two things you can do -- there is an environment variable (DEBUG_MALLOC_ iirc?) that can be set to 2 to make ptmalloc (glibc's allocator) more forceful and verbose wrt error checking another is to grab a copy of Tor's source tree and copy out OpenBSD's allocator (its a clearly-identifyable file in the tree); LD_PRELOAD it or link it into your app, it is even more aggressive about detecting memory misuse. third, Red hat has a gdb python plugin that can instrument glibc's heap structure. its kinda handy, might help? MALLOC_CHECK_ was the envvar you want, sorry. * Input fuzzying Not a new topic; has been used (and a paper published) for early UNIX tools, I[[I|tschwinge]]RC. * What about some [[RPC]] fuzzying?