Secure Coding mailing list archives

Compilers

From: dwheeler at ida.org (David A. Wheeler)
Date: Thu, 28 Dec 2006 13:56:57 -0500

I _strongly_ encourage development with "maximal" warnings turned on.
However, this does have some side-effects because many compilers
give excessive spurious warnings.  It's especially difficult to
do with pre-existing code (the effort can be herculean).

An interesting discussion about warning problems in the Linux kernel
can be found here:
http://lwn.net/Articles/207030/

Ideally compiler writers should treat spurious warnings as serious bugs,
or people will quickly learn to ignore all warnings.
The challenge is that it can be difficult to determine what is
"spurious" without also making the warning not report what it SHOULD
report.  It's a classic false positive vs. false negative problem
for all static tools, made especially hard in languages where
there isn't a lot of information to work with.

--- David A. Wheeler

Current thread:

Compilers Gary McGraw (Dec 21)
- Compilers Tim Hollebeek (Dec 27)
- <Possible follow-ups>
- Compilers David A. Wheeler (Dec 21)
- Compilers Gary McGraw (Dec 21)
  - Compilers mikeiscool (Dec 22)
  - Compilers James Walden (Dec 22)
- Compilers SC-L Subscriber Dave Aronson (Dec 27)
  - Compilers Leichter, Jerry (Dec 27)
- Compilers David A. Wheeler (Dec 28)
  - Compilers Leichter, Jerry (Dec 29)
    - temporary directories Robert C. Seacord (Dec 29)
    - temporary directories ljknews (Dec 29)
    - temporary directories Leichter, Jerry (Dec 29)
    - temporary directories ljknews (Dec 29)
    - temporary directories Leichter, Jerry (Dec 30)
    - temporary directories ljknews (Dec 30)
    - temporary directories Florian Weimer (Dec 30)
    - temporary directories ljknews (Dec 30)
    - temporary directories der Mouse (Dec 29)

(Thread continues...)