From: Tom Smyth Subject: Re: how accurate or helpful is scan-build-16 in clang-16 in identifying bugs / issues in code at build time ? To: Janne Johansson , Tom Smyth , OpenBSD Ports Date: Fri, 30 Aug 2024 22:22:27 +0100 Folks thanks for that ill keep it in mind.. next thing is to somehow mark reviewed and confirmed false positives as part of the build / release process... thanks agiain On Tue, 27 Aug 2024 at 15:27, Florian Obser wrote: > On 2024-08-27 15:35 +02, Janne Johansson wrote: > > Den mån 26 aug. 2024 kl 00:14 skrev Tom Smyth < > tom.smyth@wirelessconnect.eu>: > >> Folks, > >> Im just wondering what other porters experience of scan-build for the > projects that you are maintaining ? > >> has it been useful in identifying bugs?... or is the analysis engine > too basic or shallow to properly analyse code ? > > > > When I run it on "openbsd" code, the things it finds are often super > > deep, requiring 37 steps and that syscalls or libc calls return 0 when > > yeah, everything that's more than 10 deep is probably BS. Things that > are 5 or less deep are actionable in my experience. > > [...] > > > It does find trivial things like > > > http://c66.it.su.se:8080/obsd/2019-10-25/scan-build-2019-10-25-192004-30128-1/report-36d1ed.html#EndPath > > I like to look at dead stores, they are either there for symmetry > reasons or they indicate that something was not quite thought through. > > In both cases just removing the dead store and sending a patch is > wrong. In the first case you are destroying the symmetry and you are > just creating noise, and in the 2nd case you didn't put in the effort to > figure out how that whole function could be written better. > > I think scan-build can guide someone who has dabbled in C before where > to look. > > scan-build guidance is not always well received. > > Story time: I once considered using and contributing to a project, so > first step was to run it through scan-build to get a feel for the > structure of the code and have some ideas where the skeletons are > buried or where someone was sloppy. So I carefully analysed the reports > and submitted some patches. They were all happily accepted. > > I never mentioned that this came out of scan-build, because it was 99% > my work anyway. So by patch 10 or 11 I write something like, hey, > scan-build pointed me at this other thing, it technically can not happen > because you get lucky all the way over there, but it is a pretty well > aimed foot gun, and this should be written more defensive over > here. Patch attached. > > Their (only!) response: Yeah, we are not interested in scan-build > reports. > > OK then, good luck to you I guess... > > -- > In my defence, I have been left unsupervised. > -- Kindest regards, Tom Smyth.