Discussion:
[chromium-dev] Current state of Static Analysis and Clang related issues
s***@ncsu.edu
2018-10-29 19:04:48 UTC
Permalink
I see from the webpage
<https://chromium.googlesource.com/chromium/src/+/master/docs/clang_static_analyzer.md> that
one can use Clang static analyzer locally while building chromium code.

Is there any metabug sort of thing that lists all the (or atleast some)
Clang static analyzer found isseus? The bugs listed (crbug.com/686838,
crbug.com/686829) in this discussion
<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/IjTujTTCAqA> are
not maintained anymore.

Also, do I need to manually run the static analyzer locally? or I can go up
to some website to see the reports of a recent run by the analyzer?

I'm looking at how projects like chromium use static analyzers and what's
the rate and impact of False Positives reported by these analyzers.

Any useful link (i.e. list of bugs found by clang, clang build results)
would be very much helpful for me.
--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org.
Nico Weber
2018-10-30 18:28:10 UTC
Permalink
Someone set up an FYI bot that ran the analyzer a few years ago, but nobody
really ever looked at the output. False positive rate back then was very
high. I hear the analyzer does better on C++ nowadays; I'm not sure anyone
has used it recently. You'd have to run it locally and manually for now.
Let us know how it goes!
Post by s***@ncsu.edu
I see from the webpage
<https://chromium.googlesource.com/chromium/src/+/master/docs/clang_static_analyzer.md> that
one can use Clang static analyzer locally while building chromium code.
Is there any metabug sort of thing that lists all the (or atleast some)
Clang static analyzer found isseus? The bugs listed (crbug.com/686838,
crbug.com/686829) in this discussion
<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/IjTujTTCAqA> are
not maintained anymore.
Also, do I need to manually run the static analyzer locally? or I can go
up to some website to see the reports of a recent run by the analyzer?
I'm looking at how projects like chromium use static analyzers and what's
the rate and impact of False Positives reported by these analyzers.
Any useful link (i.e. list of bugs found by clang, clang build results)
would be very much helpful for me.
--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org?utm_medium=email&utm_source=footer>
.
--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAMGbLiEfMQ9z_wR9oEjeWfqzgDRwdvgAPmZ6BPDscJe0uZZcvA%40mail.gmail.com.
Adam Rice
2018-10-31 08:26:23 UTC
Permalink
Need to remove '-analyzer-eagerly-assume' flag
from clang_static_analyzer_wrapper.py to make it work. Output seems to be
mostly false positives. I did find one potential issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=900505.
Post by Nico Weber
Someone set up an FYI bot that ran the analyzer a few years ago, but
nobody really ever looked at the output. False positive rate back then was
very high. I hear the analyzer does better on C++ nowadays; I'm not sure
anyone has used it recently. You'd have to run it locally and manually for
now. Let us know how it goes!
Post by s***@ncsu.edu
I see from the webpage
<https://chromium.googlesource.com/chromium/src/+/master/docs/clang_static_analyzer.md> that
one can use Clang static analyzer locally while building chromium code.
Is there any metabug sort of thing that lists all the (or atleast some)
Clang static analyzer found isseus? The bugs listed (crbug.com/686838,
crbug.com/686829) in this discussion
<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/IjTujTTCAqA> are
not maintained anymore.
Also, do I need to manually run the static analyzer locally? or I can go
up to some website to see the reports of a recent run by the analyzer?
I'm looking at how projects like chromium use static analyzers and what's
the rate and impact of False Positives reported by these analyzers.
Any useful link (i.e. list of bugs found by clang, clang build results)
would be very much helpful for me.
--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org?utm_medium=email&utm_source=footer>
.
--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAMGbLiEfMQ9z_wR9oEjeWfqzgDRwdvgAPmZ6BPDscJe0uZZcvA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAMGbLiEfMQ9z_wR9oEjeWfqzgDRwdvgAPmZ6BPDscJe0uZZcvA%40mail.gmail.com?utm_medium=email&utm_source=footer>
.
--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAC_ixdyvpcvUQ816CngGx1R6FiZ4MhW_%2B%2BOWgkA%2Bdb%3DDdJpmxA%40mail.gmail.com.
s***@ncsu.edu
2018-11-05 18:47:52 UTC
Permalink
In that case, is there any other static analyzer in use for Chromium
currently?
Post by Nico Weber
Someone set up an FYI bot that ran the analyzer a few years ago, but
nobody really ever looked at the output. False positive rate back then was
very high. I hear the analyzer does better on C++ nowadays; I'm not sure
anyone has used it recently. You'd have to run it locally and manually for
now. Let us know how it goes!
Post by s***@ncsu.edu
I see from the webpage
<https://chromium.googlesource.com/chromium/src/+/master/docs/clang_static_analyzer.md> that
one can use Clang static analyzer locally while building chromium code.
Is there any metabug sort of thing that lists all the (or atleast some)
Clang static analyzer found isseus? The bugs listed (crbug.com/686838,
crbug.com/686829) in this discussion
<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/IjTujTTCAqA> are
not maintained anymore.
Also, do I need to manually run the static analyzer locally? or I can go
up to some website to see the reports of a recent run by the analyzer?
I'm looking at how projects like chromium use static analyzers and what's
the rate and impact of False Positives reported by these analyzers.
Any useful link (i.e. list of bugs found by clang, clang build results)
would be very much helpful for me.
--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org?utm_medium=email&utm_source=footer>
.
--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/213718cb-e286-4d00-98ed-d72978165494%40chromium.org.
Nasif Imtiaz
2018-11-05 20:15:40 UTC
Permalink
Also, does anyone have any useful link to that FYI bot that ran Clang (or
any other static analyzer)?
It'd also be useful if anycone can refer me some material that explains how
to integrate such a bot to chromium build phase and where do they fit in
the overall chromium development workflow!
Post by s***@ncsu.edu
In that case, is there any other static analyzer in use for Chromium
currently?
Post by Nico Weber
Someone set up an FYI bot that ran the analyzer a few years ago, but
nobody really ever looked at the output. False positive rate back then was
very high. I hear the analyzer does better on C++ nowadays; I'm not sure
anyone has used it recently. You'd have to run it locally and manually for
now. Let us know how it goes!
Post by s***@ncsu.edu
I see from the webpage
<https://chromium.googlesource.com/chromium/src/+/master/docs/clang_static_analyzer.md> that
one can use Clang static analyzer locally while building chromium code.
Is there any metabug sort of thing that lists all the (or atleast some)
Clang static analyzer found isseus? The bugs listed (crbug.com/686838,
crbug.com/686829) in this discussion
<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/IjTujTTCAqA> are
not maintained anymore.
Also, do I need to manually run the static analyzer locally? or I can go
up to some website to see the reports of a recent run by the analyzer?
I'm looking at how projects like chromium use static analyzers and
what's the rate and impact of False Positives reported by these analyzers.
Any useful link (i.e. list of bugs found by clang, clang build results)
would be very much helpful for me.
--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google
Groups "Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b1de4902-df1c-4a68-b876-608afaa14130%40chromium.org?utm_medium=email&utm_source=footer>
.
--
Good Day,

Nasif
--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAH%2Bdhm%3Dfr8fJ6MBQQVY2UrPWW-DK8DbEdDkN6GhmR%3D17eg9_2Q%40mail.gmail.com.
Loading...