Wednesday, 19 October 2016

PHP and more ...

Hi folks,

First of all thanks for the readers of my previous post, I did not expect such high rates, although I am very far to be a top blogger, it is good enough for my level ;-)

So, actually, I did quite a few about PHP, pushed an experimental version of an OpenBSD's pledge wrapper into suhosin. Created two pull requests to php itself, nothing incredible thought, mainly bringing OpenBSD's explicit_bzero on php and using it where it is relevant. This one has more chances to get merged than the other maybe.

Apart of this, I pushed a Go wrapper for the DeviceAtlas enterprise C api few weeks ago so whoever is interested (I know some customers asked for) can have a look.

Still few things ongoing keep you posted as always ;-)

Labels: , , , ,

View David Carlier's profile on LinkedIn

Sunday, 16 October 2016

Static code analysis

Hi folks,

In the software development process, the static code analysis is an important step and I am personally convinced by its utility (although knowing it is a difficult science) even when I contribute to open source projects. Usually I use either the popular clang scan-build command line tool and/or the excellent online solution Scan Coverity. Sometimes cppcheck as well.

But today, I m going to present another set of tools, PVS-Studio from viva64.com which has originally a Windows version with an integration with Visual Studio but appears to have been working on a Linux version as well which I will be focusing with. It works with my main languages C / C++ and in addition with .NET/C#

With the Linux version 6.09.18904, we have the choice between a simple tgz archive, a RedHat family rpm and a Debian family package. I did all my tests under Linux Mint 18 and the GCC suite.

1/ Choice of a project

Let's try with one well known open source project, the PHP programming language, which is basically uses the not less famous trio configure/make/make install ... Thus after setting our preferences via the configure script, we can now use pvs-studio on top of the make build system.

pvs-studio-analyser trace -- make













pvs-studio-analyser analyse -o php.plog -l <path to licence file> -j<number of parallel jobs>













Which produces an output file in the PLOG format which can be converted to xml, task files with the provided plog-converter command line. Fortunately as the process can take a certain time, it is possible to parallelize via the j flag.

2/ Outcomes

The output gotten, here in XML, contains well known useful good practices like about realloc http://www.viva64.com/en/w/V701/






or the return check for strcmp http://www.viva64.com/en/w/V526/


 some rules specific to C++ obviously like implementing the copy constructor but not the assignment operator http://www.viva64.com/en/w/V690/
 or the uselessness of checking null from a raw pointer after a new operator use
http://www.viva64.com/en/w/V668/
 ... and many more, there is a list available here.

PVS-studio was successfully exploited by another user in another open source project I pushed a pull request to recently, Unvanquished

3/ Conclusion

One of the few criticisms I may have is it seems not able to catch resource / memory leaks even very simple cases, whether it is C or C++.  Another proof that using more than one analyser is mandatory.

Maybe a Mac OS version with an integration with Xcode would be a plus in the future, although I perfectly understand the cost of development but ... might be worthy.

Labels: , ,

View David Carlier's profile on LinkedIn