Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Apr 2014 11:50:56 -0600
From:      Chad Perrin <code@apotheon.net>
To:        freebsd-security@freebsd.org
Subject:   Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Message-ID:  <20140425175056.GA8508@glaze.hydra>
In-Reply-To: <86zjj9mivi.fsf@nine.des.no>
References:  <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com> <8783.1398202137@server1.tristatelogic.com> <20140423003400.GA8271@glaze.hydra> <20140423010054.2891E143D098@rock.dv.isc.org> <20140423012206.GB8271@glaze.hydra> <86bnvpoav7.fsf@nine.des.no> <CAG5KPzyTCTbe_vTcP8HDa_KU0agNZQjzVmQ4XnZZjgGFEVnyaQ@mail.gmail.com> <86zjj9mivi.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Apr 25, 2014 at 07:14:25PM +0200, Dag-Erling Smørgrav wrote:
> Ben Laurie <benl@freebsd.org> writes:
> > Dag-Erling Smørgrav <des@des.no> writes:
> > > https://en.wikipedia.org/wiki/Halting_problem
> > Curious what the halting problem can tell us about finding/fixing bugs?
> 
> Some participants in this thread claim that there is no such thing as a
> false positive from a static analyzer.  A corollary of the halting
> problem is that it is impossible to write a program capable to proving
> or disproving the correctness of all programs.  Hence, static analysis
> must perforce produce both false positive and false negative results.
> The purpose of static analysis in a compiler is to identify possible
> optimizations; therefore it must be conservative, because a false
> negative may result in incorrect code; therefore it will produce many
> false positives.

While I'm letting myself get embroiled in this, I have a question:

Do you claim that the Clang static analyzer is essentially worthless for
finding and fixing security-related bugs because it is more trouble to
make use of its output than its output is worth, or does it only *seem*
like that is your claim?

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140425175056.GA8508>