Re: Today's thought

["Halvar Flake" <HalVar () gmx de>]

Hey all,

> There are a lot of companies getting funding right now that do source 
> code analysis, varying from fancy regexp matching on gcc's preprocessor 
> output to real AST generation and inspection. No interfunction value 
> tracking (similar to code coverage in that people underestimate its' 
> usefulness in these scenarios) yet, as far as I know, though.

IIRC Coverity has interfunction value tracking -- if you hook at the AST
layer in GCC, it should not be _that_ hard
to pull off, and I am quite surprised that @stake's product doesn't seem
to do it (as far as I can infer from the examples they showed). Ahwell,
there's going to be v2 soon I assume.

It is very true that pure static analysis will not solve the problem, but
the problem which I see is that many people "soften up" the requirements
for the static part because it is "easier dynamically". Then again, many
people would consider me a religious zealot for static analysis (complete
with detachedness from the real world and weird delusions that are normally
associated with religious zealots :-P)

The fact that most people working on these problems come up with somewhat
similar solutions independently might imply the solution is correct. 

Then again, it is late, I am tired, did not eat much and drank a significant
amount of beer.

Cheers,
halvar

-- 
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/dsl

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave