LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Quote of the week

[Posted February 27, 2008 by corbet]

Advertisement

Machine-generated warnings are a great way of quickly locating a large amount of questionable code in an otherwise overwhelming haystack. It doesn't even matter much, which warnings you look for. Almost all code checkers find the same hotspots.

But there is a catch. If you have an over-eager warning police that "fixes all the warnings", the warnings may be gone, but the very real problems in near vicinity are not. Not to mention new problems introduced by those claimed "fixes". [...]

Note one scary consequence: code checkers in the wrong hands are actively harmful.

-- Jörn Engel
(Log in to post comments)

Quote of the week

Posted Feb 28, 2008 7:43 UTC (Thu) by jimparis (subscriber, #38647) [Link] 

From the same thread, a good post on why checkpatch.pl is useful:
http://article.gmane.org/gmane.linux.drivers.openib/50253

Quote of the week

Posted Feb 28, 2008 7:43 UTC (Thu) by jimparis (subscriber, #38647) [Link] 

Hmmmm... and now I see the whole thread is summarized and this post is mentioned in the next
LWN article.  That's what I get for reading things in order!

Quote of the week

Posted Feb 28, 2008 13:22 UTC (Thu) by davecb (subscriber, #1574) [Link] 

This is one of the reasons that I and my 
colleagues like semi-automated error/portability
analyses with a human in the loop to provide 
judgement.

The process and the tool are described, in the
context of porting, at 
<self-aggrandizing plug>
http://datacenterworks.com/stories/port.html
</self-aggrandizing plug>

--dave

Quote of the week

Posted Feb 29, 2008 14:19 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

Very nice tools! I'll dig into them later.

Quote of the week

Posted Feb 29, 2008 14:58 UTC (Fri) by davecb (subscriber, #1574) [Link] 

I'm also reachable as davecb@spamcop.net or @datacenterworks.com

Quote of the week

Posted Mar 2, 2008 11:00 UTC (Sun) by joern (subscriber, #22392) [Link] 

What caught my eye in the first couple of lines was this: "fixing compiler error messages".

Which is an excellent description of the actively harmful behaviour my quote was about.
"Fixing" compiler warnings gives your brain the same quick high that a heroin fix will - and is
just as useful.  There simply is no fix for a compiler warning.

_Code_ may be buggy or have poor style.  Code can be fixed.  Compiler warnings are just that:
warnings.  They may be valid, they may be invalid and they may point to something much more
interesting in near vicinity.  But the strange idea that warnings can be fixed in any shape or
form is plain wrong.

And mechanically going through the compiler output, randomly changing code until miraculously
all warnings disappear is far too common a mispractice to treat it with lenience.

DO NOT FIX WARNINGS!

Fix code.

A fool with a tool

Posted Feb 28, 2008 16:56 UTC (Thu) by dwheeler (subscriber, #1216) [Link]

For a specific example, see the example of RealNetwork's use of flawfinder. Flawfinder correctly pointed out some vulnerabilities, but instead of fixing them they inserted comment directives to hide the warning.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.